Malware Analysis Report

2024-11-30 04:15

Sample ID 240613-am2v3awhpa
Target a31da94f9abda3681199df91e2cc364a_JaffaCakes118
SHA256 0def2b2922ba6a3ccdc47a8b0b7c7685772f0fd3d0a4c35d90cf423e54e58041
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0def2b2922ba6a3ccdc47a8b0b7c7685772f0fd3d0a4c35d90cf423e54e58041

Threat Level: Known bad

The file a31da94f9abda3681199df91e2cc364a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Windows security bypass

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Checks computer location settings

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:20

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:20

Reported

2024-06-13 00:23

Platform

win7-20240611-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbfjqnvl = "vuqdslaqgw.exe" C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hxppvuco = "gceqfznzigtyffl.exe" C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "esrywywaywwbw.exe" C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\caqckuag.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\vuqdslaqgw.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\caqckuag.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\esrywywaywwbw.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vuqdslaqgw.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gceqfznzigtyffl.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gceqfznzigtyffl.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\caqckuag.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\esrywywaywwbw.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\caqckuag.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FCFF4F5D82189046D62E7E92BD97E640584066406345D6EA" C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B12B44EF399A53C5B9D732EDD7BE" C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\vuqdslaqgw.exe
PID 2296 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\vuqdslaqgw.exe
PID 2296 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\vuqdslaqgw.exe
PID 2296 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\vuqdslaqgw.exe
PID 2296 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\gceqfznzigtyffl.exe
PID 2296 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\gceqfznzigtyffl.exe
PID 2296 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\gceqfznzigtyffl.exe
PID 2296 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\gceqfznzigtyffl.exe
PID 2296 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\caqckuag.exe
PID 2296 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\caqckuag.exe
PID 2296 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\caqckuag.exe
PID 2296 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\caqckuag.exe
PID 2296 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\esrywywaywwbw.exe
PID 2296 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\esrywywaywwbw.exe
PID 2296 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\esrywywaywwbw.exe
PID 2296 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\esrywywaywwbw.exe
PID 2840 wrote to memory of 2720 N/A C:\Windows\SysWOW64\vuqdslaqgw.exe C:\Windows\SysWOW64\caqckuag.exe
PID 2840 wrote to memory of 2720 N/A C:\Windows\SysWOW64\vuqdslaqgw.exe C:\Windows\SysWOW64\caqckuag.exe
PID 2840 wrote to memory of 2720 N/A C:\Windows\SysWOW64\vuqdslaqgw.exe C:\Windows\SysWOW64\caqckuag.exe
PID 2840 wrote to memory of 2720 N/A C:\Windows\SysWOW64\vuqdslaqgw.exe C:\Windows\SysWOW64\caqckuag.exe
PID 2296 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2296 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2296 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2296 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2632 wrote to memory of 2772 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2632 wrote to memory of 2772 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2632 wrote to memory of 2772 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2632 wrote to memory of 2772 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe"

C:\Windows\SysWOW64\vuqdslaqgw.exe

vuqdslaqgw.exe

C:\Windows\SysWOW64\gceqfznzigtyffl.exe

gceqfznzigtyffl.exe

C:\Windows\SysWOW64\caqckuag.exe

caqckuag.exe

C:\Windows\SysWOW64\esrywywaywwbw.exe

esrywywaywwbw.exe

C:\Windows\SysWOW64\caqckuag.exe

C:\Windows\system32\caqckuag.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2296-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\gceqfznzigtyffl.exe

MD5 c3d0d72ad2fcd40ae7e305e5509da3a1
SHA1 9268c792d781d1943ab767b34e02a340a691d5f8
SHA256 884ca0b2d044d514dc01a7a1fe9047c6fd73356196ef42155406e91382b9573a
SHA512 7f0e8881b849c75ee8c630b0aa978e88532276137116adfdfbcee190f5655e22e44e205216963071deb33ac6896a35c923d3ed0ffeb23040c02c6ed65d89afdf

\Windows\SysWOW64\vuqdslaqgw.exe

MD5 013eaa7e1c397f4c070d90a9c42782da
SHA1 0aba05a31e3cf3aba7dffddbabc26a103aecbefb
SHA256 43da9ac4ce68a2a1be694b0115e46413116856622aec3e9807c9413fcfa67dcf
SHA512 60526b65c6c4a1f12725df360e7dcf4a3585c44295cf2e51a998d6b1296ca8e646c513b0fbd871d51ba15454a8f750fb5ddffb5d86cce44d25bc22647342dbfb

C:\Windows\SysWOW64\caqckuag.exe

MD5 128f8411d4ce349fa319bde7fb089726
SHA1 366a61781483dc7993107b0eb9f34aada440fbbd
SHA256 74e27cfe408dc0ead0e65b998d29d0a2c458dd1511400d8e03a6cec474778b32
SHA512 18c24ea21a4098792fd1b27f3e9e53524ee28996da8297d33431382ebc31d5d31347bd6e72ecc699999552877d2e93ab352c96450ab3321d3b06a9a2441318d6

\Windows\SysWOW64\esrywywaywwbw.exe

MD5 46814d62d6a384c5de33249f6d3baec3
SHA1 c3362bef24a2101d141bda977f35ffa86aead697
SHA256 be890b3df2d3c364706b3970adeb955445cdf9540cfe63fc38e4dc850747f43d
SHA512 30cdc4f6c23032cad446351ae871e919ef112ee1dc758de9b1ac1d33f76555128c87d383fb78774b0bec83ce36a67fea982e3aa3f5488107600437dcc806c618

memory/2632-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 2fbba212cf537d0d15c5d6993135e986
SHA1 258ea96fa1ea5226be4aa9039a71dbf95387ec81
SHA256 a2dd37023c3a7fdd54ed861f54481f23de6ab4a3907ec29e52fdfb2e7c7d42e6
SHA512 03df45433a094fef96209028007ba646a24f2ceebc10e5f40b841aeb9760dba6ab4a4f5e6c582ccfdc8935ff2d6c0eeb8e03b10518bccf9b310ed11f46fa2ba5

C:\Users\Admin\Downloads\GetInvoke.doc.exe

MD5 5e20ff467be6cf96ae707f9f1f34d6da
SHA1 0290475e69f4af7de154c7d872302dc9c9b53c0b
SHA256 4e44d782deceedc66a2f922be1388003d2999cf4031e03117bb913fb6a073a11
SHA512 ae0d2f5da974a1c2dd37e94eeec2afe55a2423758323b2a736ac194b9e98137497a67dbeb851a99bd3fb9374a45cee41d5f09e402b278fb09be969803e2d7133

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 90cd91da18297b441c5764a45261f3ba
SHA1 05f3c790259f12a28b501f064daf9bdbaa1344ae
SHA256 9e4cfaf35eee5598b43df6138dec7597ab9e742526e5c2fd6cc46268fd1a1147
SHA512 16ce33d1e28d5ac6710d69c9aa189cf5081efe65102c21c956de04e89572c51a3b030365dd733df6e44088f5099915441b82e3b1d61e80651a1df26a6ad7859b

memory/2632-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:20

Reported

2024-06-13 00:23

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qbfjqnvl = "vuqdslaqgw.exe" C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hxppvuco = "gceqfznzigtyffl.exe" C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "esrywywaywwbw.exe" C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\n: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\caqckuag.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\caqckuag.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Windows\SysWOW64\esrywywaywwbw.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
File created C:\Windows\SysWOW64\vuqdslaqgw.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vuqdslaqgw.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gceqfznzigtyffl.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gceqfznzigtyffl.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\caqckuag.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\esrywywaywwbw.exe C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\caqckuag.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\caqckuag.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\caqckuag.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BB7FE1D21A9D108D0A08B7F9166" C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FCFF4F5D82189046D62E7E92BD97E640584066406345D6EA" C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D7D9D5783206D3F76DC70272DDF7DF265DE" C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B12B44EF399A53C5B9D732EDD7BE" C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C77914E2DBC2B9B97FE1EDE434C6" C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FACEF913F298830F3A4B86EE3EE2B0FD02884213024BE1C842E608A6" C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\vuqdslaqgw.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\vuqdslaqgw.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\esrywywaywwbw.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\gceqfznzigtyffl.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A
N/A N/A C:\Windows\SysWOW64\caqckuag.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\vuqdslaqgw.exe
PID 3096 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\vuqdslaqgw.exe
PID 3096 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\vuqdslaqgw.exe
PID 3096 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\gceqfznzigtyffl.exe
PID 3096 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\gceqfznzigtyffl.exe
PID 3096 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\gceqfznzigtyffl.exe
PID 3096 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\caqckuag.exe
PID 3096 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\caqckuag.exe
PID 3096 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\caqckuag.exe
PID 3096 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\esrywywaywwbw.exe
PID 3096 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\esrywywaywwbw.exe
PID 3096 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Windows\SysWOW64\esrywywaywwbw.exe
PID 3096 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3096 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 5076 wrote to memory of 3084 N/A C:\Windows\SysWOW64\vuqdslaqgw.exe C:\Windows\SysWOW64\caqckuag.exe
PID 5076 wrote to memory of 3084 N/A C:\Windows\SysWOW64\vuqdslaqgw.exe C:\Windows\SysWOW64\caqckuag.exe
PID 5076 wrote to memory of 3084 N/A C:\Windows\SysWOW64\vuqdslaqgw.exe C:\Windows\SysWOW64\caqckuag.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a31da94f9abda3681199df91e2cc364a_JaffaCakes118.exe"

C:\Windows\SysWOW64\vuqdslaqgw.exe

vuqdslaqgw.exe

C:\Windows\SysWOW64\gceqfznzigtyffl.exe

gceqfznzigtyffl.exe

C:\Windows\SysWOW64\caqckuag.exe

caqckuag.exe

C:\Windows\SysWOW64\esrywywaywwbw.exe

esrywywaywwbw.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\caqckuag.exe

C:\Windows\system32\caqckuag.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/3096-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\gceqfznzigtyffl.exe

MD5 d85aa3f4674d276535648f7098570fea
SHA1 1be33e113391730bbc82e5380aba74f02eba5bf3
SHA256 283d59f7db29c7d1bd24b81b848a6e4ca557194a84ced79cd35935739fd0d620
SHA512 73e1afe1f9ac43981e199316f5732ab667a20ae7455eb4762e830e6f480f4033c298c28b015ce044f9665e570b61a05f016759d701cd9d186965e64512b317a9

C:\Windows\SysWOW64\vuqdslaqgw.exe

MD5 bef9db029985d581cfac2b7552531918
SHA1 ef56d3e9f7f2600b97ec2e1c21f43e2b347dcd82
SHA256 a177f24f9e62bebb1db2579f5d79c9748da9996695530eddcb390c06ab656616
SHA512 9ddf93083cb8684bc95678483aea4acce91cb3ce3018b66aa1c7e437606b6fb252ef53516dcd90d166557687c5e84c191749da133db139e46c3a148dcc05008c

C:\Windows\SysWOW64\caqckuag.exe

MD5 5e0846ddfaeb2fa39c74459a49893a70
SHA1 e5cdf9d0e9532820de49ec3ff0c68ded49661f7f
SHA256 f7fdaf457516b0b9ec8e81d607c03efd61680246f968dc01fc3dfdb9653c6b11
SHA512 5048c65f7f16d3dcf2d8b81da0c0a4a9d676e3ce0d020287b24cb199dda2835b078fbd9763f8a7f7f2e2ca3c5b42fe1ede16c306da8976edea2c4d98260f1339

C:\Windows\SysWOW64\esrywywaywwbw.exe

MD5 2aaba6dfa9bd0fafead0c14a32bd2577
SHA1 a01a2a3311e7b92cd7e22951d9a2ab44bc03931a
SHA256 c6e99fab1f10ea94fab4a22ce9fb7457c648c33eab83ccb4488c495d6cc3d3ee
SHA512 3581692b9124c82c5a170c5a9890e1139d9b8f2cb11ed2c79a97224dc0ea8e51ad767b65fe7690d13212339db1ba71f961d1e8b136431b6e773db26f98340ffb

memory/3652-37-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

memory/3652-39-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

memory/3652-38-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

memory/3652-40-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

memory/3652-41-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

memory/3652-42-0x00007FF9D2410000-0x00007FF9D2420000-memory.dmp

memory/3652-43-0x00007FF9D2410000-0x00007FF9D2420000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 b3e2360020de0543038cd1dd37d9c63e
SHA1 0c9199b2d7bb8a76b62e27b12d3ac08d758deab0
SHA256 a8cbb3d48f815bcd38131b03ad686aa838cc9bb4963fc85e456200a08b62e981
SHA512 163139b88725a2af1deb25cbe6477b8a1717fc02fbe120068d8bed078d0a6777ea2137ccae241bb7ecacfb495920c20107c2c92ee5af2fba1eeed939412ec303

\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 24026aca0d8cdb9fb8056e791871d40b
SHA1 4f40f85eb8d66a637c75126768fea63b105db8fa
SHA256 dd7bfa56173679f4688b7c06462ad172a32e83a9086117356436c0f31f4d1df2
SHA512 91904595050ee48b1a8fbbfc6ed6aea1598b212074a92738066adb4bf124eb8cb51766056d9ca7d1febeed0617d542099eea29dbdae4a219ae53d9d3c51dd37d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 2c515395ae306a044f82caee4b3f4bd9
SHA1 8ea7e3ae84d8d0c393b04084cd2ba0ac9e597251
SHA256 77adc4b863288fb2cdf03f9e17a5b7e28da6e0937cac98e280526ffbb3c17eaf
SHA512 eb90d38b99c61acf9e5bf39a6b5df700958a00ab353e719815431a280380349b1b3687d22105c4f035c04b7eccf671aca5de87246beabd6c96015099e3fe7ddf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3dddb578ec9cec548169ca988348d291
SHA1 ce3cc250142f882bec42a8f16a203b3feef631f6
SHA256 ba3f20392e5e8ea594a1045e455533cf678c019cb3ba2b821deec371e3b2c916
SHA512 7f0dd0fc4e924bc126a1c9b282d4ca82e536ba48e82f7684d39561c0c77ff4cdd0c823cab18f26be66bbd2430cf4b0288f588b74bda799a3763a70164343b4ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 6bdb066cb6c008a7060f69d6f0e5a68f
SHA1 67780197ba54a01c07f79ba285e863ef7bd1bb5c
SHA256 a413418215ab89663bdda44da089c9e2d8de434508cb05bee47ece09c44bc44d
SHA512 5df2a60e4ab349e0d2e8e3df7304cef17f274d044b8e5de3fe916a12a69333e33684c5e5e2fa17b6c789ddb8e31ddcb417392e727dd959737c8e19796b5c261f

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 a21db77de178be5d6cca3b8786122be1
SHA1 4c3ad726076306d8bea98ecc5197064e4b66fdee
SHA256 bf27594c12380d322617af359e36ba285c60a5d7e4aa5c2be2b5e95faec867cc
SHA512 f0349bc016014f452065d81cace1cd968c1872d36f41e38723d4f25a9608496725dd615e9325a1300bdc951793b8d551f004840e3b5dc37ecca939a1fe779c02

memory/3652-113-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

memory/3652-114-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

memory/3652-115-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp

memory/3652-112-0x00007FF9D4690000-0x00007FF9D46A0000-memory.dmp