Malware Analysis Report

2024-11-30 04:15

Sample ID 240613-adwmpawfja
Target a31224d26b26443ef664482c59a05399_JaffaCakes118
SHA256 96d822e1de3f50016ea9cd158071698714cb0aa5dd2da3d86d82c987604196c8
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96d822e1de3f50016ea9cd158071698714cb0aa5dd2da3d86d82c987604196c8

Threat Level: Known bad

The file a31224d26b26443ef664482c59a05399_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Modifies Installed Components in the registry

Disables RegEdit via registry modification

Loads dropped DLL

Windows security modification

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:06

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:06

Reported

2024-06-13 00:08

Platform

win7-20240611-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\uxxoronwws.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\uxxoronwws.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ggwswaps = "uavmpzbqdyxklqv.exe" C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bdmwnmpjcpqqi.exe" C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vuvryufa = "uxxoronwws.exe" C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\uxxoronwws.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\eadtoxwf.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\uxxoronwws.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\uxxoronwws.exe N/A
File created C:\Windows\SysWOW64\uxxoronwws.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\eadtoxwf.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\eadtoxwf.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\uxxoronwws.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\eadtoxwf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\eadtoxwf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\eadtoxwf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\eadtoxwf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B0FF1D22DAD179D1D28A7F916B" C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\uxxoronwws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\uxxoronwws.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\uxxoronwws.exe N/A
N/A N/A C:\Windows\SysWOW64\uxxoronwws.exe N/A
N/A N/A C:\Windows\SysWOW64\uxxoronwws.exe N/A
N/A N/A C:\Windows\SysWOW64\uxxoronwws.exe N/A
N/A N/A C:\Windows\SysWOW64\uxxoronwws.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\uxxoronwws.exe N/A
N/A N/A C:\Windows\SysWOW64\uxxoronwws.exe N/A
N/A N/A C:\Windows\SysWOW64\uxxoronwws.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\uxxoronwws.exe N/A
N/A N/A C:\Windows\SysWOW64\uxxoronwws.exe N/A
N/A N/A C:\Windows\SysWOW64\uxxoronwws.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\eadtoxwf.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\uxxoronwws.exe
PID 2032 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\uxxoronwws.exe
PID 2032 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\uxxoronwws.exe
PID 2032 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\uxxoronwws.exe
PID 2032 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe
PID 2032 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe
PID 2032 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe
PID 2032 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe
PID 2032 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\eadtoxwf.exe
PID 2032 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\eadtoxwf.exe
PID 2032 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\eadtoxwf.exe
PID 2032 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\eadtoxwf.exe
PID 2032 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe
PID 2032 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe
PID 2032 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe
PID 2032 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe
PID 2460 wrote to memory of 2672 N/A C:\Windows\SysWOW64\uxxoronwws.exe C:\Windows\SysWOW64\eadtoxwf.exe
PID 2460 wrote to memory of 2672 N/A C:\Windows\SysWOW64\uxxoronwws.exe C:\Windows\SysWOW64\eadtoxwf.exe
PID 2460 wrote to memory of 2672 N/A C:\Windows\SysWOW64\uxxoronwws.exe C:\Windows\SysWOW64\eadtoxwf.exe
PID 2460 wrote to memory of 2672 N/A C:\Windows\SysWOW64\uxxoronwws.exe C:\Windows\SysWOW64\eadtoxwf.exe
PID 2032 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2032 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2032 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2032 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2712 wrote to memory of 536 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2712 wrote to memory of 536 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2712 wrote to memory of 536 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2712 wrote to memory of 536 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe"

C:\Windows\SysWOW64\uxxoronwws.exe

uxxoronwws.exe

C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe

uavmpzbqdyxklqv.exe

C:\Windows\SysWOW64\eadtoxwf.exe

eadtoxwf.exe

C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe

bdmwnmpjcpqqi.exe

C:\Windows\SysWOW64\eadtoxwf.exe

C:\Windows\system32\eadtoxwf.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2032-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\uavmpzbqdyxklqv.exe

MD5 285b463c4cde2f12584de92536ea9348
SHA1 f6264da9f6e7ecd072b697042d1a4a15291e3a5a
SHA256 53095259559153a95c039486f515dcc552ac3d1aed0294f3cbd26e26fae0d813
SHA512 5e215ce6728cfbea449eb8491a703919d349bb0a3468a9898147c4333d0e22abc89bed032c49b46d4b22e3912d9e9b70890b4b488e849991163ba3c4078db55f

\Windows\SysWOW64\uxxoronwws.exe

MD5 86eadd6131da3ad989b2daeb8e082773
SHA1 513550a1683d7dc2bdd33c6df481b2b8912e2fdf
SHA256 aa78604d579a56e556f47e31bcd7a27d6e057904ce1fe4efd4b2ade1caf1dd6a
SHA512 134a5b02936ad2f3afc3858cf6d34c7d2ef6cd0ccd5396ee4d0e241ffd8feb77f35ef053d63b884c2cd8427cbf57ae08eb7ea1843b8f579c2406548e57eec1ad

C:\Windows\SysWOW64\eadtoxwf.exe

MD5 d048670cfc093d02dc53b00185069443
SHA1 9928b5170e6d346aa9fe4c6f382f194e9167841d
SHA256 02e2f826d8030f9682855a9a98295173da6df85bb79d08d43e89ba9a74c1e526
SHA512 60a0394f1078791385cb086839827a0357bac2aaea77d0b49c519c8c170edba9c975da0c46eb9195fc13153f9c7ba2c17029ebcd74140612c25b5ea1f5c0f470

C:\Windows\SysWOW64\bdmwnmpjcpqqi.exe

MD5 bf9ef53459004e0e9d02429bed341c23
SHA1 8c6d69b1f5b97bce02cbd2b50c8622b96a323b1d
SHA256 0afe8b2f24a48505d620b5007cf3fa6fb68cef48891f12be7215378a057a0292
SHA512 018f6e813617021e944a61c45f645d405da00acd6c003a5403fa2efb8c30694a3c628a5e92adcd97a60f43c755a16f5c9ac2b8e818ae84b91ea3b7c814e0af77

memory/2712-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 e6c42af7990eb8b33cd6e54dfd959efc
SHA1 72a2824bded923cab3d148f9bb602721574707d0
SHA256 5f783b77efde332884a43bb1ef89fb8c65c87d51ad1684708fb6a702cb755ada
SHA512 06a26b5f9f60981c686b36689eca27fbe92f5bd243cc8831f8694e76ed7e7b8e1533597414c4e60ab6412c862bc368ff68c577a9cc52941ce7db21366b22a227

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 dddd61d30a3df697f1e3633692bb2470
SHA1 e27959f8aa65655fc1cd48ad6758af8ba1c2e52f
SHA256 5eb2c106fe02dfa8459bcd39ab47225e816c0786313f0e4b85838a655234b6f9
SHA512 e3510879db533f2d2e22fb89cb23d701f3aecab9a40aaff46dcc73cda1d182a9ea32f3d85e095327132019887e9bbaf8d70d592266f59704081c0c6e4ca40a00

C:\Users\Admin\AppData\Roaming\WatchCheckpoint.doc.exe

MD5 6499e093acdf4d73be0906170fe794cf
SHA1 1bdd0bbdccbfd34459e35afcd4d0bbe6bd0290b4
SHA256 a95a8048bf24ea9443bf9c66234344bad33725393b5cb2b4dc13891b593afd63
SHA512 e0c52e61fd4924cf9aaec3cb72481cc748c5a1a3eadbd46675e44b92dd3d3a94d10edcd3cef73825b6389ca0b081f0331cea981966ba309b11bb29fcffd08f90

memory/912-87-0x0000000003CA0000-0x0000000003CB0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:06

Reported

2024-06-13 00:09

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\khfjvspmqr.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\khfjvspmqr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swkvjihf = "mkvnsxlhfzfsvde.exe" C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "viadpnxblugim.exe" C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fsnsfcjn = "khfjvspmqr.exe" C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\r: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bxzdtjoj.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\khfjvspmqr.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File created C:\Windows\SysWOW64\khfjvspmqr.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\viadpnxblugim.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\viadpnxblugim.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bxzdtjoj.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification C:\Windows\SysWOW64\khfjvspmqr.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bxzdtjoj.exe C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\khfjvspmqr.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\bxzdtjoj.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFF8E4858856E9047D7297E9DBDEFE147584267406337D799" C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC70F1596DBC4B8CE7C92ED9634CF" C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FABFFE6BF19784083A3286973999B08903FE4315023AE2C8429D08D6" C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F768B6FE6A22DBD209D0D48A089164" C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\khfjvspmqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C0B9C5683556D4377D377262CAC7C8F65DB" C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B05B44E4399F52CABAA7329AD7CC" C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\khfjvspmqr.exe N/A
N/A N/A C:\Windows\SysWOW64\khfjvspmqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
N/A N/A C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
N/A N/A C:\Windows\SysWOW64\khfjvspmqr.exe N/A
N/A N/A C:\Windows\SysWOW64\khfjvspmqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
N/A N/A C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
N/A N/A C:\Windows\SysWOW64\khfjvspmqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
N/A N/A C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
N/A N/A C:\Windows\SysWOW64\khfjvspmqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
N/A N/A C:\Windows\SysWOW64\khfjvspmqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
N/A N/A C:\Windows\SysWOW64\khfjvspmqr.exe N/A
N/A N/A C:\Windows\SysWOW64\khfjvspmqr.exe N/A
N/A N/A C:\Windows\SysWOW64\khfjvspmqr.exe N/A
N/A N/A C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
N/A N/A C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
N/A N/A C:\Windows\SysWOW64\bxzdtjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\bxzdtjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\bxzdtjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\bxzdtjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\bxzdtjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\bxzdtjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\bxzdtjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\bxzdtjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
N/A N/A C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\viadpnxblugim.exe N/A
N/A N/A C:\Windows\SysWOW64\bxzdtjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\bxzdtjoj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\khfjvspmqr.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\khfjvspmqr.exe
PID 4784 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\khfjvspmqr.exe
PID 4784 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe
PID 4784 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe
PID 4784 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe
PID 4784 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\bxzdtjoj.exe
PID 4784 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\bxzdtjoj.exe
PID 4784 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\bxzdtjoj.exe
PID 4784 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\viadpnxblugim.exe
PID 4784 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\viadpnxblugim.exe
PID 4784 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Windows\SysWOW64\viadpnxblugim.exe
PID 1592 wrote to memory of 4088 N/A C:\Windows\SysWOW64\khfjvspmqr.exe C:\Windows\SysWOW64\bxzdtjoj.exe
PID 1592 wrote to memory of 4088 N/A C:\Windows\SysWOW64\khfjvspmqr.exe C:\Windows\SysWOW64\bxzdtjoj.exe
PID 1592 wrote to memory of 4088 N/A C:\Windows\SysWOW64\khfjvspmqr.exe C:\Windows\SysWOW64\bxzdtjoj.exe
PID 4784 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4784 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a31224d26b26443ef664482c59a05399_JaffaCakes118.exe"

C:\Windows\SysWOW64\khfjvspmqr.exe

khfjvspmqr.exe

C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe

mkvnsxlhfzfsvde.exe

C:\Windows\SysWOW64\bxzdtjoj.exe

bxzdtjoj.exe

C:\Windows\SysWOW64\viadpnxblugim.exe

viadpnxblugim.exe

C:\Windows\SysWOW64\bxzdtjoj.exe

C:\Windows\system32\bxzdtjoj.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/4784-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\bxzdtjoj.exe

MD5 73ee09f7103bac531804f85d0a6bc9e2
SHA1 f1e87adb44e6f63b3afef6a6ec0153b18840ba4a
SHA256 d930c61f1e763f62a2d0009ae92775914679a25c8f1bb0daf68e6ba6ac555449
SHA512 d91f36a219a86876973713c2a8e90b16001d320ce0532bac57001fe827c121ff5137ef92969a05c702de5d8639bfd563ab61589bb4477dc646f43ec4fcdd1308

C:\Windows\SysWOW64\khfjvspmqr.exe

MD5 4562b7d80bbcf6fd5f68b7aa61c709cc
SHA1 745a0b9136ba4877d3702c1c5a49d074aea242e6
SHA256 93110ecfe7468f9f7b873ea6c15f380f79c7df16f4685d1198df07ee5bd3e085
SHA512 38dc64dacdbdc7f0a31d4dbae409d1ebe308f7ce2febafa6b3b2d4a5cc48b90178ed26efd0a991b79c33a4b5ebda6e442ea948882dbb83e05c8aa2956c7c3342

C:\Windows\SysWOW64\mkvnsxlhfzfsvde.exe

MD5 0e87d44ab0a1013a6be5e2d86442cfe8
SHA1 b8bf113444abf556b2186cee80f087e8b02e98d8
SHA256 e09594bab95b1f2dd1b7c1c5c5648eddc16c44396de07d121eb248bf0d7b0005
SHA512 8ca9ba8661e4ec1050c7cbb3974323982a66691cf8d06f968159f1c995d12ce5a7be3e849e75f002c936b3e16c6cf221283c1dc99bc8e4988f9dcf540b877c04

C:\Windows\SysWOW64\viadpnxblugim.exe

MD5 ef6c9fcc248f967d371993a0ca402ded
SHA1 52e8924d8e08faa2fa49cf11dbb9b024a8f26d37
SHA256 b58f83d694a5edffbb75c2d551e8187b0bf27588874d33b335703e2092f5f417
SHA512 be2101c4e52a8b8b7f7e1ddcc4a0fe736154cdc1bb57eebad43b35e945cd531479b3b39a46fcc6bafbff818f75d7a5244cf8ca6f85ef0f6f6add5cc624322773

memory/2440-37-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/2440-39-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/2440-38-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/2440-40-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/2440-41-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/2440-42-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmp

memory/2440-43-0x00007FF87F9A0000-0x00007FF87F9B0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 602dad6ee0e60cde6698692534ef100b
SHA1 c3e20be4cf62746964ff865964f4f354d412bfac
SHA256 596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598
SHA512 bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 d0e5684864f804a4f95d9a06ab6bfcdd
SHA1 2009f0938b656b74fa5ad6ed3a7257eda133cd3d
SHA256 242047e03c58dc864a7f4de842bcc5bdfacc5caf00ae0a28b4e5bb36e226bba3
SHA512 df4130851bd6dcc79dcefa5a19bd2cc0d037acd30e5cceb68990614c3e04945b38ff71cef0b35cade8b3198335ac62dde8cc57d041feba49e446c6dcd7409eb2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 55c27537c347caba196e23fedf90d237
SHA1 776731812ca395ccf78b05b516a9e0908d0221d4
SHA256 47f7ddc977ca297d926c1d4f77dd43eed357ce9e13510a3cc0d8e47d248e1339
SHA512 fe7cb75fd04f2bf2676778691f417a9dd9e9418a9012770a2bef10041d27b36c820a8a87a4204c32ff15e72188bfbec35839ec4c86c1cd9699645582636ac914

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 e261ebdae6427430eafea91bc845b4ce
SHA1 8f439096f4304e466bc8b7063ba85848163ead97
SHA256 9f1e612bf961065fd846d8aa7ef04c120e7da6c8c081dcca7a17f5d4de4a51ac
SHA512 99fc8f8a409a990746668304c7658194a40879802cb4df2d87527ba1dd06d64106901a23e3b943f41fd0ad2fed9a126ce12281dead6d2d7fe9c15f424689bbde

C:\Users\Admin\Documents\ShowProtect.doc.exe

MD5 68acc8f3ce4c13bdd3ec5773a093303a
SHA1 41f02e3d517f2b1bad9377e1fd382f41396d6975
SHA256 3397ce39b9ed1d8f1eed74e5a3db270c957e2acf41ed04b4353218163157f83d
SHA512 b03de2ba2919b37a9ba469d18160fd3cbde60b34bf8279dff4241317b12529bf1eb5fe501cdafeadae9caf7dd6d4b19a9e460daf856878ff98e05655200a4aaf

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 4e1882104e7967744af0c335c5568096
SHA1 dbf95c1a383cfaa02f2796f003647ae0aa5987b2
SHA256 425430c2a55dfa7b4983571f36eba787fa68d1e4136c4869fc56d52ad1792b79
SHA512 44c41ef11ce169c9be9761191c14c29655d3003c5c50611c056c59f93d7fba607c5d365ab793a9f36e2ae436f904a789561a614b587ede8bd259ca7aecc3af26

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 4d084adb041ef0e20fdb5e13c024e4ca
SHA1 9eb721b46e7ed524630f693e810fbd0dbd68624c
SHA256 02295b36eab9b17503d71ee85e1b0a1e4e095c365bfbb1de99329715f54d303e
SHA512 c0b277de5c22e5395123c0ef220bce924428dfcbb00b5e36a8bf5cba85ac39cbe4514f9c3b45ecbba3eda041850e8b0e7ab0c5969a696e4a4c74e302e13e56f2

memory/2440-119-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/2440-122-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/2440-121-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

memory/2440-120-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp