Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-ehhzlsxbrj
Target a3c059f6e292c34cdb25843d8d476568_JaffaCakes118
SHA256 17fe9527a24327cb25e9d87429e849a87e99f871d1848d71220b59f63e960847
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17fe9527a24327cb25e9d87429e849a87e99f871d1848d71220b59f63e960847

Threat Level: Known bad

The file a3c059f6e292c34cdb25843d8d476568_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Reads user/profile data of web browsers

Checks computer location settings

Windows security modification

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:56

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:56

Reported

2024-06-13 03:58

Platform

win7-20240508-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gktmgmfo = "gwqcmizudworijd.exe" C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yruipirqpnmsh.exe" C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lyynpxqw = "fxwyzdnyiq.exe" C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\m: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fhaerkjn.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\yruipirqpnmsh.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File created C:\Windows\SysWOW64\fxwyzdnyiq.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gwqcmizudworijd.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fhaerkjn.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\yruipirqpnmsh.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fxwyzdnyiq.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gwqcmizudworijd.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fhaerkjn.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9F9CAFE17F1E3837D3B3181EA3E94B08B03884367023BE1BE42EA08D5" C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC67A14E6DAB6B8BA7CE9EDE334C6" C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fxwyzdnyiq.exe
PID 1532 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fxwyzdnyiq.exe
PID 1532 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fxwyzdnyiq.exe
PID 1532 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fxwyzdnyiq.exe
PID 1532 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\gwqcmizudworijd.exe
PID 1532 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\gwqcmizudworijd.exe
PID 1532 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\gwqcmizudworijd.exe
PID 1532 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\gwqcmizudworijd.exe
PID 1532 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 1532 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 1532 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 1532 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 1532 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\yruipirqpnmsh.exe
PID 1532 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\yruipirqpnmsh.exe
PID 1532 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\yruipirqpnmsh.exe
PID 1532 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\yruipirqpnmsh.exe
PID 2100 wrote to memory of 2556 N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 2100 wrote to memory of 2556 N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 2100 wrote to memory of 2556 N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 2100 wrote to memory of 2556 N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 1532 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1532 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1532 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1532 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2468 wrote to memory of 1280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2468 wrote to memory of 1280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2468 wrote to memory of 1280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2468 wrote to memory of 1280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe"

C:\Windows\SysWOW64\fxwyzdnyiq.exe

fxwyzdnyiq.exe

C:\Windows\SysWOW64\gwqcmizudworijd.exe

gwqcmizudworijd.exe

C:\Windows\SysWOW64\fhaerkjn.exe

fhaerkjn.exe

C:\Windows\SysWOW64\yruipirqpnmsh.exe

yruipirqpnmsh.exe

C:\Windows\SysWOW64\fhaerkjn.exe

C:\Windows\system32\fhaerkjn.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1532-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\gwqcmizudworijd.exe

MD5 e05a7b6dc0a7e86c0b5de69a1ded3b65
SHA1 09109dede8d922822786d7f462d030f060094ed9
SHA256 635a6f524d8286e88ebf02dbcc0fa797df1fb76a682ce74c17c662a9d3300761
SHA512 8fcd320b698e25b47f3769150d5076546185d0fb65f998cc073d7137f94bf4ec9db4cf79c3b26a8048246f58ac7121c4be1790dad927e68761e7301a0795118f

\Windows\SysWOW64\fxwyzdnyiq.exe

MD5 54a0aa1cfe558492a59e8426547fed97
SHA1 4cbb5e93e60ef89c7ca69b5701351c145331b70e
SHA256 81b9b5edee9fdc32bd8232b5a045c0b246cb411f2869c95a39d4250bad78c99b
SHA512 7bafc01d7c0876a3a06a5bb00ff44e7530af7e775421962df65f69341aface41b4e58bdd646ae078b029348911b43743d7f8c8e12197c584aa4bab6cadd4249f

\Windows\SysWOW64\fhaerkjn.exe

MD5 87f43d88f8e0a7018eee12023cd1e46f
SHA1 cacc21def8448860e3657fcc16cb1b30b8c5116e
SHA256 b75fb6d26dc2ced5d391776431d2df821ac0254d7a4ed0cf3384dc25b311ef4c
SHA512 b63e5865c26852a1f565f70f9a742d1fe8cd7b61898db7a284f95b65407b3a686f1c557c9b529a24cf6b0767c26c51fb177917d16e6f6d91fdda43686d64a298

\Windows\SysWOW64\yruipirqpnmsh.exe

MD5 abbe1c34e6d4755253f143b3f8b5b1d6
SHA1 fb456979997ce1c2f68c79954ed423c204f57754
SHA256 27a84f28258f0268c942fed181fcf68efc9ea1725e05177c3ff6d57e83843d17
SHA512 ddad7cd41da321a7aa080b739ba3de71b87f3b6a6dcdef4098903533065acd6005edc0372aac74aa095240b97819dfd606144ddcc60f39b15bc5a1362554067a

memory/2468-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 2bc1020ca2df44b05e6b66f7eb1ae058
SHA1 895c5ab938126ac1043f5d7f568b4de32f6673fa
SHA256 dce3e4410557663b5fd5b1802d1269c9a3b8c29ac715261968f462e0a978e3e3
SHA512 b6f11951e7839b260d3d06b7979f408bcd91a5ca5260a11519b35e5d1198faa982a379af17bb3a709f7582a8422dcbbda3a08024ed96f6a786e4fc21b2408501

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 c0085e2ed1802d2fba894f375832fef0
SHA1 89ce8c4edf1db9bbb9f7170dd4d52ac6c1404164
SHA256 00d2130920b5d9c3637f15579fd89d3ec0ff2b40676fb2b3cd50a005e696fdb3
SHA512 2b1529cc181b61573131805afb93a233c87d5b8d8459db3595ee160737ca595fdb55ccd738bbdbfc3fbe82e86f716fdf1d9b9f5084d2327104fcac83dbf34472

memory/1228-88-0x0000000002B30000-0x0000000002B40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:56

Reported

2024-06-13 03:58

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gktmgmfo = "gwqcmizudworijd.exe" C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yruipirqpnmsh.exe" C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lyynpxqw = "fxwyzdnyiq.exe" C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fhaerkjn.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\fxwyzdnyiq.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gwqcmizudworijd.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fhaerkjn.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Windows\SysWOW64\fhaerkjn.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\yruipirqpnmsh.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Windows\SysWOW64\yruipirqpnmsh.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File created C:\Windows\SysWOW64\fxwyzdnyiq.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\gwqcmizudworijd.exe C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\fhaerkjn.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\fhaerkjn.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9F9CAFE17F1E3837D3B3181EA3E94B08B03884367023BE1BE42EA08D5" C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68C3FF6D21ADD10BD1A68B789014" C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC67A14E6DAB6B8BA7CE9EDE334C6" C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D0B9D5582566D3676D470512DD77D8765D8" C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B15B47EF399852CCBAA0329FD7C8" C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FCFC4F5C85189047D72E7E97BC97E632593267336246D79C" C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\gwqcmizudworijd.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\yruipirqpnmsh.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A
N/A N/A C:\Windows\SysWOW64\fhaerkjn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fxwyzdnyiq.exe
PID 1184 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fxwyzdnyiq.exe
PID 1184 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fxwyzdnyiq.exe
PID 1184 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\gwqcmizudworijd.exe
PID 1184 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\gwqcmizudworijd.exe
PID 1184 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\gwqcmizudworijd.exe
PID 1184 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 1184 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 1184 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 1184 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\yruipirqpnmsh.exe
PID 1184 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\yruipirqpnmsh.exe
PID 1184 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Windows\SysWOW64\yruipirqpnmsh.exe
PID 724 wrote to memory of 4992 N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 724 wrote to memory of 4992 N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 724 wrote to memory of 4992 N/A C:\Windows\SysWOW64\fxwyzdnyiq.exe C:\Windows\SysWOW64\fhaerkjn.exe
PID 1184 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1184 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3c059f6e292c34cdb25843d8d476568_JaffaCakes118.exe"

C:\Windows\SysWOW64\fxwyzdnyiq.exe

fxwyzdnyiq.exe

C:\Windows\SysWOW64\gwqcmizudworijd.exe

gwqcmizudworijd.exe

C:\Windows\SysWOW64\fhaerkjn.exe

fhaerkjn.exe

C:\Windows\SysWOW64\yruipirqpnmsh.exe

yruipirqpnmsh.exe

C:\Windows\SysWOW64\fhaerkjn.exe

C:\Windows\system32\fhaerkjn.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/1184-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\gwqcmizudworijd.exe

MD5 da96b0b2544130ce7ff6c8756ef68319
SHA1 eb930787c8892f4ad7a8fa277ee33b48c7bb289a
SHA256 60c57cf80609f9866a3308433f967564397bba40a34c27ed8b3241fd382a41f0
SHA512 ae5103ddaa916f43a688d05d3818584a0d3a153ac77d18d125323367628434976b4d1419ec9b3d5326b65d642f2c19359b4a84cdc841c9c727b2f8516b9da2e4

C:\Windows\SysWOW64\fxwyzdnyiq.exe

MD5 74be7c489d44fb5f4bdf0a13bfbf761d
SHA1 e562f2dd22baa77029be723fdedadcfc267d56b3
SHA256 59a85f76326ea05b56c1706dcb2ffce9f07e5fa4365732cc251a116e7cc5aaa4
SHA512 eb0d6529638d00d6441e849b851660d982db9ae23edb413c1cf8e194731da71ead0a5076b2edf875ba828f242adcfe85d5a675b935457ca522f2073364947534

C:\Windows\SysWOW64\fhaerkjn.exe

MD5 407df293b5887f17853bf76153584693
SHA1 bf1f601df9aff0e6cdb5f946968225a6482d5ba7
SHA256 1036fb08179cb716bef7e77d4e8ca67644d66b90e544f883a2ed52a5025d443d
SHA512 08b6e2712d8f9cdf7929ad46264b7b62a937213b718ab8aa7d6581604dac2014c7405cedc4ccffd37b305e365dc0d986eff72c7ce575595f7acac7c76d04bf6d

C:\Windows\SysWOW64\yruipirqpnmsh.exe

MD5 2698d60e65f55656f96b8da07b80ec8d
SHA1 13fec9150aba07ec26df8da497f55866bb0f2cdc
SHA256 8f1f5ea66610b82d42b32759bf17a9deeb4db2399371c98dcad23ea08a7853d1
SHA512 1a7b1c7c26be65bed93e9cde84e21416045198b7102757df5a08a53c03e475739ca93ce4dd758096d8804f420d0a8ee0c1681f06db07923a879ec003bbffbe6a

memory/1940-37-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

memory/1940-39-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

memory/1940-38-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

memory/1940-40-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

memory/1940-41-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

memory/1940-42-0x00007FFE4D100000-0x00007FFE4D110000-memory.dmp

memory/1940-43-0x00007FFE4D100000-0x00007FFE4D110000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 9c3f1e2ae59f97a25815a62fe9e0cb34
SHA1 91ef92e30c0ddc32a13cd805cbe892acb0f5c059
SHA256 85a5f7860089d47de05c76a95d6c5d4777c85cb80097a15b89da23ec5451090f
SHA512 f92181230dec3767f96c611a0e280cdf3eb271e3304117fddeab8aaafdd7a9574bd1974aa8bf889f19169b1254cc52628dc0278c9ca90cf38cfd7e78d20bac60

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 8ae4a27d3edcd1e154e530ed0407cfe7
SHA1 0b8c16c7cf09f0866915b69a2408fca2c91a3899
SHA256 d2c566242160611a35365e354b9272195f218b61b2d3eb99976918302613bd5e
SHA512 16447ca0a7f5b35af676bcb9ae121edb2f181d3a26673ea43eae84bd60f1b065c25afecf0a394581821edfced3782a22f42cca6626c6b7e4bffefc3c45061424

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 c2d8b34f0559f63b157ae8a75090f341
SHA1 ae20a342ab7bc08149dce71b96bec5c94541362e
SHA256 1acbe893259c639ceb26cb6596dbc4fb3b3521079aba3262e45088bed9495d05
SHA512 a1b97dd9e7929267407b16e6cf51d4dbc6f5eb920cbfafb497b54e7e74c1ad0b6c3ff787b877f45358802d703cdde67212abc385af2b413540bf9735dc0f7f97

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 8f5c44e1551e133335388ab8900e956f
SHA1 1c115828a253459d609ebc7beb11283e6f94d2be
SHA256 8e4f760f7ddc9edb116aa6dfd13e9a7171b9c088ca201ce13238c62e745bd3c4
SHA512 7d5c83f19c5ebb15ef54a738c8352e457328019a0e209bb754a3049c0617f20f360a1dd5863304fc3e3c2946b1f0a994b4facc20fcd16668ad1f615c4bc2461c

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 f4ab3aaed00ff5461e4237464f4fbb91
SHA1 b6ef20a2cce50efca0a67df9827d5b674343ff66
SHA256 9f126d99783935695b56b021efa3d5ee37f79ee8dae6561d7a17fca573f20201
SHA512 5e6247bb63efdc5943d9326d2f55b1f52c0ae44c30d4b565777cc27b7a36f111e333f3a2b304065213a171523867eb97084cb136c1b6a0dd79d10c093795d7b2

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 d08872027844dc610b55026dc9f9ad46
SHA1 20d182a8d5f6a0c34d7bb6f89cd2a690b3bd3380
SHA256 ae6c0a52f6f31efc947d991c94ec76673bfa4c07dc21fe7f93b1d569aa738de0
SHA512 a0fed8fce3c0b9f7df6816b7be27ec7dd7d6e0fdc3c115f7c7b4d72dd0c506fed61d3766410e11e3ba738148a1367890087cbaafe6ad24957513b72169bf1391

memory/1940-114-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

memory/1940-115-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

memory/1940-116-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp

memory/1940-113-0x00007FFE4F9B0000-0x00007FFE4F9C0000-memory.dmp