Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-et9ayaxepj
Target a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118
SHA256 c2f3050f83b17739dc4ed6343275ec86e69d658e06b1230d18bf2fd1669351d6
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c2f3050f83b17739dc4ed6343275ec86e69d658e06b1230d18bf2fd1669351d6

Threat Level: Known bad

The file a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Windows security bypass

Disables RegEdit via registry modification

Windows security modification

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:15

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:15

Reported

2024-06-13 04:17

Platform

win7-20240419-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\lretkxplru.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\lretkxplru.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\maxuvzwv = "lretkxplru.exe" C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uzadxdue = "ketxyvjopphpfia.exe" C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ueltoyjllxmwm.exe" C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\n: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\lretkxplru.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hexzdgjv.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\lretkxplru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\lretkxplru.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ueltoyjllxmwm.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ketxyvjopphpfia.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ketxyvjopphpfia.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\hexzdgjv.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hexzdgjv.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ueltoyjllxmwm.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\lretkxplru.exe N/A
File created C:\Windows\SysWOW64\lretkxplru.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\lretkxplru.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hexzdgjv.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hexzdgjv.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hexzdgjv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hexzdgjv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\lretkxplru.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\lretkxplru.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2D7A9C2C82206A3777A777262CAB7CF565DC" C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\lretkxplru.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC6BB4FF6C22DDD109D1A48B7E9017" C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B12F44E638E853CABAD5329FD4B9" C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\lretkxplru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\lretkxplru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\lretkxplru.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\lretkxplru.exe N/A
N/A N/A C:\Windows\SysWOW64\lretkxplru.exe N/A
N/A N/A C:\Windows\SysWOW64\lretkxplru.exe N/A
N/A N/A C:\Windows\SysWOW64\lretkxplru.exe N/A
N/A N/A C:\Windows\SysWOW64\lretkxplru.exe N/A
N/A N/A C:\Windows\SysWOW64\hexzdgjv.exe N/A
N/A N/A C:\Windows\SysWOW64\hexzdgjv.exe N/A
N/A N/A C:\Windows\SysWOW64\hexzdgjv.exe N/A
N/A N/A C:\Windows\SysWOW64\hexzdgjv.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\hexzdgjv.exe N/A
N/A N/A C:\Windows\SysWOW64\hexzdgjv.exe N/A
N/A N/A C:\Windows\SysWOW64\hexzdgjv.exe N/A
N/A N/A C:\Windows\SysWOW64\hexzdgjv.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ueltoyjllxmwm.exe N/A
N/A N/A C:\Windows\SysWOW64\ketxyvjopphpfia.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\lretkxplru.exe
PID 2248 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\lretkxplru.exe
PID 2248 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\lretkxplru.exe
PID 2248 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\lretkxplru.exe
PID 2248 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\ketxyvjopphpfia.exe
PID 2248 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\ketxyvjopphpfia.exe
PID 2248 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\ketxyvjopphpfia.exe
PID 2248 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\ketxyvjopphpfia.exe
PID 2248 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\hexzdgjv.exe
PID 2248 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\hexzdgjv.exe
PID 2248 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\hexzdgjv.exe
PID 2248 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\hexzdgjv.exe
PID 2248 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\ueltoyjllxmwm.exe
PID 2248 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\ueltoyjllxmwm.exe
PID 2248 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\ueltoyjllxmwm.exe
PID 2248 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\ueltoyjllxmwm.exe
PID 2596 wrote to memory of 2488 N/A C:\Windows\SysWOW64\lretkxplru.exe C:\Windows\SysWOW64\hexzdgjv.exe
PID 2596 wrote to memory of 2488 N/A C:\Windows\SysWOW64\lretkxplru.exe C:\Windows\SysWOW64\hexzdgjv.exe
PID 2596 wrote to memory of 2488 N/A C:\Windows\SysWOW64\lretkxplru.exe C:\Windows\SysWOW64\hexzdgjv.exe
PID 2596 wrote to memory of 2488 N/A C:\Windows\SysWOW64\lretkxplru.exe C:\Windows\SysWOW64\hexzdgjv.exe
PID 2248 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2248 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2248 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2248 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2468 wrote to memory of 2368 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2468 wrote to memory of 2368 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2468 wrote to memory of 2368 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2468 wrote to memory of 2368 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe"

C:\Windows\SysWOW64\lretkxplru.exe

lretkxplru.exe

C:\Windows\SysWOW64\ketxyvjopphpfia.exe

ketxyvjopphpfia.exe

C:\Windows\SysWOW64\hexzdgjv.exe

hexzdgjv.exe

C:\Windows\SysWOW64\ueltoyjllxmwm.exe

ueltoyjllxmwm.exe

C:\Windows\SysWOW64\hexzdgjv.exe

C:\Windows\system32\hexzdgjv.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2248-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\hexzdgjv.exe

MD5 119d5e975389ba52d8626081145a9449
SHA1 45ff6750bd7d0938ea2aada1e1752f3ad7c9b908
SHA256 34328839fbeaefc7102662e503ee89b69297061dce28af3a50aa57e66f707844
SHA512 a36f553bf1229e8c248a3957b8fd24f5ca13c2e49939a2bd9b672ac5bb5bdf660949b9251949c995f9c61ef476c4957a38eb67aa09cb9b907dcbf977830ecc7f

\Windows\SysWOW64\lretkxplru.exe

MD5 ead293d718d91fe4b39a2bf932b54ef4
SHA1 dee2dcfb472ea4e16090b7f2987acd8a59a8a89e
SHA256 6423973ed4393e20665a7acb879e45d8759b874c405d99c424bbe379f115168f
SHA512 1f29528d6b1da6df845fbe1db3612ea348f74f0b8108bc5d6782d016229725dd3e5203e52434903e856bd9459820acd5a6e42ca1140563d2daf8c2bf9b0e80e3

\Windows\SysWOW64\ketxyvjopphpfia.exe

MD5 191449c019b008f29181a34a5b9da4fe
SHA1 9a89ec48d97c2e063f1b32c3e33264b97fc606d2
SHA256 c3fbcdf7a39687a81a80998c647618300f5f04821cf1f35e1a0351277f56cea3
SHA512 2e17074229840e02b522cae0d573ca4fb767573f4756a13f5ad2c7dc8ec28dc61fd04435ba5f2c73c9a678e3b797c9db32182cf0e0075c2d5cf159cffd82f7a9

\Windows\SysWOW64\ueltoyjllxmwm.exe

MD5 58b6a05825364615fa7ce007e50118a8
SHA1 be16d0bd3446fddd033c853a3198699e94b7f740
SHA256 a1686b641e51360e44427ec6da2ac15ce8cee79bfa2d80cb849ba098be2d3c45
SHA512 66c3d4cb1d0a02e8016285331705650a9313d9e840eb9aa9535aa45c3c8bf57424f9ece975003bbcb75e6d23267d9b1aad47a87ecb9075636b72457c449a13a0

memory/2468-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 8fece46fa02bb4a82581c8c1642f1d0a
SHA1 14bb4f9c472bbdd32003bca34d5f252bbd4da7d3
SHA256 44eddaeeb1a8a281a318b022971354a954c4862193a171c1affd468b34849fee
SHA512 26b449b0d5805b73bbd443d83c2b77bdd08af57d1af06c62c835242f580884a34a9ab4d6df03586967e603f19249cde13a540e1df772f9792034a86f999e337c

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 4352d9d18dfc249cce99795292f26c84
SHA1 836e09351ed6e6cd02b32ad271ade43fc2667400
SHA256 a4dfa7ae67047a7df0ef8bad7be9e079a4453d5d03bdb70c61173621a86e0f98
SHA512 d9eafa9b86beaed63d61d306b7b1aa3e68866a51e22c551196d88205821218c148bccfb1c67d4a73d05556bb08cb9fba8c782e73e9325b3c5ca4d7b8d489e663

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 bcb18f911d469d112b9c03e69010fbf8
SHA1 7342381e2b9ec946cfe855c0fee7a66772defd6a
SHA256 bdd3d0d0c756a1e044b4067cb5a8d6186d108ccdc894e3dbb2f3d0e63a71afd8
SHA512 928809a21d36c13f604578be0a4e6f0541657207c6235f25028cdc8cd0c2de0ac51ede7780392cb0061c126610063f31779099746028d0293d72b769fee62481

memory/2468-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:15

Reported

2024-06-13 04:17

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\wisgfwkcof.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\wisgfwkcof.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctkxguzs = "asceuwbuvxoiwlv.exe" C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zclowptyihkin.exe" C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmrqzcnj = "wisgfwkcof.exe" C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wisgfwkcof.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\wisgfwkcof.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zcucxclu.exe N/A
File created C:\Windows\SysWOW64\wisgfwkcof.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zclowptyihkin.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zclowptyihkin.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\wisgfwkcof.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification C:\Windows\SysWOW64\wisgfwkcof.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zcucxclu.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zcucxclu.exe C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\zcucxclu.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\zcucxclu.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\zcucxclu.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zcucxclu.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\zcucxclu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C089D5183586A4377D770562CDD7D8164DF" C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4F9CEF911F1E584753A4686993E94B38903FC4367034BE2C942EC09D3" C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\wisgfwkcof.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B1294492399A52BDBAD13299D4B8" C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFFFF482C851E9046D65C7E91BCE4E140593067356337D79A" C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BB8FF6622D9D17AD0D48A0C9160" C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC7751596DBB3B8BA7FE1EC9437CA" C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wisgfwkcof.exe N/A
N/A N/A C:\Windows\SysWOW64\wisgfwkcof.exe N/A
N/A N/A C:\Windows\SysWOW64\wisgfwkcof.exe N/A
N/A N/A C:\Windows\SysWOW64\wisgfwkcof.exe N/A
N/A N/A C:\Windows\SysWOW64\wisgfwkcof.exe N/A
N/A N/A C:\Windows\SysWOW64\wisgfwkcof.exe N/A
N/A N/A C:\Windows\SysWOW64\wisgfwkcof.exe N/A
N/A N/A C:\Windows\SysWOW64\wisgfwkcof.exe N/A
N/A N/A C:\Windows\SysWOW64\wisgfwkcof.exe N/A
N/A N/A C:\Windows\SysWOW64\wisgfwkcof.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\zcucxclu.exe N/A
N/A N/A C:\Windows\SysWOW64\zcucxclu.exe N/A
N/A N/A C:\Windows\SysWOW64\zcucxclu.exe N/A
N/A N/A C:\Windows\SysWOW64\zcucxclu.exe N/A
N/A N/A C:\Windows\SysWOW64\zcucxclu.exe N/A
N/A N/A C:\Windows\SysWOW64\zcucxclu.exe N/A
N/A N/A C:\Windows\SysWOW64\zcucxclu.exe N/A
N/A N/A C:\Windows\SysWOW64\zcucxclu.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\zclowptyihkin.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A
N/A N/A C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\wisgfwkcof.exe
PID 2636 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\wisgfwkcof.exe
PID 2636 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\wisgfwkcof.exe
PID 2636 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe
PID 2636 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe
PID 2636 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe
PID 2636 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\zcucxclu.exe
PID 2636 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\zcucxclu.exe
PID 2636 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\zcucxclu.exe
PID 2636 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\zclowptyihkin.exe
PID 2636 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\zclowptyihkin.exe
PID 2636 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Windows\SysWOW64\zclowptyihkin.exe
PID 2964 wrote to memory of 1344 N/A C:\Windows\SysWOW64\wisgfwkcof.exe C:\Windows\SysWOW64\zcucxclu.exe
PID 2964 wrote to memory of 1344 N/A C:\Windows\SysWOW64\wisgfwkcof.exe C:\Windows\SysWOW64\zcucxclu.exe
PID 2964 wrote to memory of 1344 N/A C:\Windows\SysWOW64\wisgfwkcof.exe C:\Windows\SysWOW64\zcucxclu.exe
PID 2636 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2636 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3cba6af2053213e5c97c7e1cf3e54d6_JaffaCakes118.exe"

C:\Windows\SysWOW64\wisgfwkcof.exe

wisgfwkcof.exe

C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe

asceuwbuvxoiwlv.exe

C:\Windows\SysWOW64\zcucxclu.exe

zcucxclu.exe

C:\Windows\SysWOW64\zclowptyihkin.exe

zclowptyihkin.exe

C:\Windows\SysWOW64\zcucxclu.exe

C:\Windows\system32\zcucxclu.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/2636-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\asceuwbuvxoiwlv.exe

MD5 60f3d57abd84fe8bbf1eae4dad364d3d
SHA1 190691c709b42276d47c5ea97286e00553236634
SHA256 e8a50e1f1ac678d5c810ab0c43a00b366feb238b21eec579333bb406d35daea3
SHA512 b94e4f6d8800769d9d9f924dd49998dbf94f6392b655d015388de154ae8591f06529aaa0731111c9e71af322e632106504a57f4767cc20b804b2a0acc17274ee

C:\Windows\SysWOW64\wisgfwkcof.exe

MD5 18fe070c2f9c8197337da47c7cba2cae
SHA1 0dc45ee6fa98f1b3f87cc7ba470ff008a3c3a55a
SHA256 d0407a319c0c7114d29d5b6190534ff489ef90629a6bcae98967c830c7a96d88
SHA512 f28dd120b87b78d9f0a1669c601cc7fb3d5613ca3de6f083e85395765ec0c0ec77fe324313c3916782ff53009c27ee572c02c9da682b397248bcc30e6bbd18ba

C:\Windows\SysWOW64\zcucxclu.exe

MD5 3f367a8b10c382093f7a396dbb0329f6
SHA1 ed695bb07f2e9586938749b0764970484b5b81c3
SHA256 0e5f7fc870e1b12a744a68769ca8284154f1cdc7a97c98809dfc4fec9a134ecc
SHA512 ef2422bb2630cffd6081e1e12d81fdd8ed233a6165378b51aabf5beac77d3b633915d1a5301dcba4ad8332a2c56f020f2d11cca047bcfe3433e715fc06e06c64

C:\Windows\SysWOW64\zclowptyihkin.exe

MD5 eadb28e40caa864fa056647127250cce
SHA1 f8b00a0e7fd6a0475c998ee60183b168b0228f18
SHA256 d04fe65edd4e7e2a4a2f3a5d087b7b02b45c17186082f3c1e7be67419c295592
SHA512 c9153df1099ba6b995266f364aadca2a37d2f26fb8a611b2edb17498d527050dcca04cf8844885dde0c4670fead975de54e7763fd3d3b31ffb8a2adf776e8000

memory/4056-39-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

memory/4056-38-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

memory/4056-37-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

memory/4056-40-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

memory/4056-41-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

memory/4056-42-0x00007FF9C74B0000-0x00007FF9C74C0000-memory.dmp

memory/4056-43-0x00007FF9C74B0000-0x00007FF9C74C0000-memory.dmp

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 2b425ba0453d8dae977556a430ec48cb
SHA1 00ef4e5aa853ca2d58022b198debe52f710dcf05
SHA256 932161d69a7a82e68c5cac1f6d0837d9b1b538c9d0951a002fe712e0252c4103
SHA512 5fc73c6e2530ad67801d371dd88d70831291036b5ac4c5b98411edc5a8b7a872e4c458c755aad830b47bdb0d23965b120a0cb757d2c65586d75d6b9d3ece5a89

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 1c7ad6c130469c8161786beb9f42e0f2
SHA1 b1f8001c814666990ee05e2342c6bff06e1288b6
SHA256 e8a9f0eb4019466dc43e9b9f962edf8fd4f5b5e296634547fb51e8787990097f
SHA512 23e66ed26112f95cd574e4833ed3fe170e455e30b1de828386a7454c75ea488d561366c79fda200db9d36c1b70ed11924e6c8c32eac27f0bd040e7db841d4f1b

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 ca3c4f94255e73f27ae128cb0893c796
SHA1 e1132c806759bba253f8239db0838e849c910534
SHA256 2c8e204011969f8e2cc2a8e9503d695218c3710793f9fd06b6237fdd2b4403d4
SHA512 2b53824460c35de5c470c09447542692003f9e418ebb0523c5ab394e97d34bef0ce5f7e8027d99887dfa3fa9db4461e97e646a88e42e7a24b3067ba3c12cd22b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe58561a.TMP

MD5 bbd6302e4eb6c20dc5508083fb672412
SHA1 4a616d0d854ead779da89b10600b722d52615a72
SHA256 3fee187f29bac2885388b8314a3bfd148adcdcc79cb91b13894fbbf30f8f3a8c
SHA512 02c9b1714170bd24c5ad7acdc18920911704578f28c6a2174b561fb8a7f66a06ae25e74775ffd762a4dd7a183d40463e0d8d542a20fbcecfb0cc7a0c654093d9

C:\Users\Admin\AppData\Roaming\UnlockWatch.doc.exe

MD5 316f4c076bab357826b5dabdb7e82415
SHA1 4f9fe728b14c29080dffe1d0eb45c3dfa15bcb88
SHA256 59b9555f625a39d43d2464bab74a37dbd03e57287ec7e0c067843a3e8e20e466
SHA512 0c6d9780c97e905b3998bcc17eba53da70347f8418b144dca17f57d022160d6c8b6c70c44c3c9ccd04b53ae4f2d91cc4766fd8249036c7cf9354802cc3779a90

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 16eab06899fbed02ba487d372dab640c
SHA1 1c2678eb5282871d9d1f49f46e853304b163e50d
SHA256 d15f717d31c0d95fb852beecd727c187dbe9a476996c8424d55ae1a279c87369
SHA512 929fc52cdafeeb66b371a112646d37d0b56132d575033326aec0116cd714228160fc2342b6d4b224fad8c785a98cf4cb8c9abacd0412c029229ed1a809ee0806

memory/4056-120-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

memory/4056-123-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

memory/4056-122-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp

memory/4056-121-0x00007FF9C9B50000-0x00007FF9C9B60000-memory.dmp