Malware Analysis Report

2024-11-16 13:21

Sample ID 240613-f1d9tavhpb
Target a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118
SHA256 4b23b2d00d517677dfe08ded2216eded11a263d98326b3c613142d0034d0a9dc
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b23b2d00d517677dfe08ded2216eded11a263d98326b3c613142d0034d0a9dc

Threat Level: Known bad

The file a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Windows security modification

Reads user/profile data of web browsers

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:20

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:20

Reported

2024-06-13 05:22

Platform

win7-20240508-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\hebcgyglhq.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jtnfqgfu = "hebcgyglhq.exe" C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vffrtakl = "suyfvtonjpfljzp.exe" C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oswtidodsvtbb.exe" C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\kagbshue.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\hebcgyglhq.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\hebcgyglhq.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\suyfvtonjpfljzp.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\suyfvtonjpfljzp.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kagbshue.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\oswtidodsvtbb.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\hebcgyglhq.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kagbshue.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\oswtidodsvtbb.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\hebcgyglhq.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\kagbshue.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C7D9C5283256A4477A070212CAB7D8665D8" C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B12B4790399952CDBAA133E9D7B8" C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFCFF4F27826E9131D7587DE1BD90E631584166436345D7ED" C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\hebcgyglhq.exe
PID 2424 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\hebcgyglhq.exe
PID 2424 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\hebcgyglhq.exe
PID 2424 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\hebcgyglhq.exe
PID 2424 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\suyfvtonjpfljzp.exe
PID 2424 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\suyfvtonjpfljzp.exe
PID 2424 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\suyfvtonjpfljzp.exe
PID 2424 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\suyfvtonjpfljzp.exe
PID 2424 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\kagbshue.exe
PID 2424 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\kagbshue.exe
PID 2424 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\kagbshue.exe
PID 2424 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\kagbshue.exe
PID 2424 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\oswtidodsvtbb.exe
PID 2424 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\oswtidodsvtbb.exe
PID 2424 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\oswtidodsvtbb.exe
PID 2424 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\oswtidodsvtbb.exe
PID 3052 wrote to memory of 2544 N/A C:\Windows\SysWOW64\hebcgyglhq.exe C:\Windows\SysWOW64\kagbshue.exe
PID 3052 wrote to memory of 2544 N/A C:\Windows\SysWOW64\hebcgyglhq.exe C:\Windows\SysWOW64\kagbshue.exe
PID 3052 wrote to memory of 2544 N/A C:\Windows\SysWOW64\hebcgyglhq.exe C:\Windows\SysWOW64\kagbshue.exe
PID 3052 wrote to memory of 2544 N/A C:\Windows\SysWOW64\hebcgyglhq.exe C:\Windows\SysWOW64\kagbshue.exe
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2628 wrote to memory of 1572 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2628 wrote to memory of 1572 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2628 wrote to memory of 1572 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2628 wrote to memory of 1572 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe"

C:\Windows\SysWOW64\hebcgyglhq.exe

hebcgyglhq.exe

C:\Windows\SysWOW64\suyfvtonjpfljzp.exe

suyfvtonjpfljzp.exe

C:\Windows\SysWOW64\kagbshue.exe

kagbshue.exe

C:\Windows\SysWOW64\oswtidodsvtbb.exe

oswtidodsvtbb.exe

C:\Windows\SysWOW64\kagbshue.exe

C:\Windows\system32\kagbshue.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2424-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\suyfvtonjpfljzp.exe

MD5 1f23c1959b3ea338f0220c52a8565261
SHA1 54b1f3f8043b0a2c1dc516bebcdb81741eda76f4
SHA256 7031c1ebce2f78ba10cf9ac0d9fdc221a6234bc9c5a31f9a1c7e31f5a5033e55
SHA512 8a0efe6d474199fc76be4263078e4cb806ad521529c947d094801577279bd50069121d03c8ad2aaecdcf59ebace61416c1cdc4556c73c52ceab179d2f8c03569

\Windows\SysWOW64\hebcgyglhq.exe

MD5 e5b171a4fceae9712f9800909d6dc4bb
SHA1 fb69553f169f1b8ed619cfb78eff2e4701905021
SHA256 e08f76f307335717d5d730cb85e1fcdf038226d3fe384a7a9cc7c82321359f10
SHA512 8fd73a97705c59f3f7eb6598c84f4dce588b74c0747cb2032688fb17dc4cc317c57cc048ab06f543089bfd623b49e4a756ce8040964e0b8a8cdbd18c9174bb4e

\Windows\SysWOW64\kagbshue.exe

MD5 1f0567af0832782c09ec3cf075de909e
SHA1 410894ed2120493c422d56c0e5c66277625298fa
SHA256 7ae8d3e4f1ebb28bcb71fc7a68cf2b67fc7b983e50c041a350a3d3b92e80770b
SHA512 185800124939f333eac44a9b582b804d3221ce62e7c6a8f7832973b96d936ec457f28ab6e7d5af8b94e8c92d2b3a25cfacdddc19fec08df38dea486ab2730ed8

\Windows\SysWOW64\oswtidodsvtbb.exe

MD5 2e9cb94f91fb139a069963c5a1d2f8ad
SHA1 4443c01a014ffd13349f4f274b79b3e79e86fbf3
SHA256 89c7fb16744bb84d5c86f774a89bba8658203009cd0c81098921d1139d8c9aa1
SHA512 e17b040e512e9d08cb036163b4fd4c4c8820abef6728bc63ae6e29a1846b0c6e4d219b1de80bd2dec690cd1691e70a4691e979eaaede92fb596956eb4d19d2c8

memory/2628-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\CompletePublish.doc.exe

MD5 a28230119a560c09f6e0a989f9d8e167
SHA1 1c9b252e377d440ba3d3b5c57aa679add4046c7e
SHA256 7fcbd4e1e578caa8ac0967fbf5deb254c998620fd88e9d77634f33f3d7af8b60
SHA512 c4926ebc36fac964ec10966f6b66546ad1a450ca1e67a48a8e3d2cebd8cb11d4cdcb41b762d8b5f2e2c92cf779cdff0b2b4dae775035e8445eb9dfadbd22e444

C:\Users\Admin\Documents\ReadDeny.doc.exe

MD5 79ce8095b1834d0b9c6a13c9d44fdb5e
SHA1 bc3d66f6f853d2eb688242e8aed085445f23212e
SHA256 ec77757544538fba0b26c9afc195b7adb7ef152891a693d2c958735b1ff0834f
SHA512 376378ba7eba500a63ee4a3b6a2e692aac2c5df93b805c96b8f99adf7ac67a6719e702c1285fc59a89b854d26e48fe31b8f7edd4c5d45f708ec15b37daf7f93e

memory/2628-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 9e3bba780e9870635f682ca773cfe619
SHA1 eb16b3d8cf9fc94150e368a6cd3a1c4c9efc72c1
SHA256 3eb683ffdf4aff449eb33e166c6f9aeb7f1e66d83198340c5e99114d09a2ee8d
SHA512 4b496c243b9e9b2858c5b18efc0fd8006d7aa3a4a76d089aae0ab0c3eba003d81fff2636e9cdbc3e721e68cc727ed86f76ec0344aa61a27270e5d00fc2ea6a99

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:20

Reported

2024-06-13 05:22

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\hebcgyglhq.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\hebcgyglhq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oswtidodsvtbb.exe" C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jtnfqgfu = "hebcgyglhq.exe" C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vffrtakl = "suyfvtonjpfljzp.exe" C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\y: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\kagbshue.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hebcgyglhq.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\hebcgyglhq.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\oswtidodsvtbb.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\oswtidodsvtbb.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\hebcgyglhq.exe N/A
File created C:\Windows\SysWOW64\hebcgyglhq.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\hebcgyglhq.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\suyfvtonjpfljzp.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\suyfvtonjpfljzp.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kagbshue.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kagbshue.exe C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\kagbshue.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\kagbshue.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\kagbshue.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C7D9C5283256A4477A070212CAB7D8665D8" C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9B1FE64F1E4840F3A4586ED39E6B0FC038D4315034CE1C445EA09D1" C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B12B4790399952CDBAA133E9D7B8" C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC60C15E4DBC0B9C07CE5ED9534BE" C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\hebcgyglhq.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFCFF4F27826E9131D7587DE1BD90E631584166436345D7ED" C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78068B1FE6A21DED108D0A98A7F9016" C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\hebcgyglhq.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\oswtidodsvtbb.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\suyfvtonjpfljzp.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A
N/A N/A C:\Windows\SysWOW64\kagbshue.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\hebcgyglhq.exe
PID 1884 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\hebcgyglhq.exe
PID 1884 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\hebcgyglhq.exe
PID 1884 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\suyfvtonjpfljzp.exe
PID 1884 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\suyfvtonjpfljzp.exe
PID 1884 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\suyfvtonjpfljzp.exe
PID 1884 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\kagbshue.exe
PID 1884 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\kagbshue.exe
PID 1884 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\kagbshue.exe
PID 1884 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\oswtidodsvtbb.exe
PID 1884 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\oswtidodsvtbb.exe
PID 1884 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Windows\SysWOW64\oswtidodsvtbb.exe
PID 1884 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1884 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2248 wrote to memory of 3660 N/A C:\Windows\SysWOW64\hebcgyglhq.exe C:\Windows\SysWOW64\kagbshue.exe
PID 2248 wrote to memory of 3660 N/A C:\Windows\SysWOW64\hebcgyglhq.exe C:\Windows\SysWOW64\kagbshue.exe
PID 2248 wrote to memory of 3660 N/A C:\Windows\SysWOW64\hebcgyglhq.exe C:\Windows\SysWOW64\kagbshue.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3f5dd4ad29feee1a8c4022b997598f6_JaffaCakes118.exe"

C:\Windows\SysWOW64\hebcgyglhq.exe

hebcgyglhq.exe

C:\Windows\SysWOW64\suyfvtonjpfljzp.exe

suyfvtonjpfljzp.exe

C:\Windows\SysWOW64\kagbshue.exe

kagbshue.exe

C:\Windows\SysWOW64\oswtidodsvtbb.exe

oswtidodsvtbb.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\kagbshue.exe

C:\Windows\system32\kagbshue.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 52.111.229.43:443 tcp

Files

memory/1884-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\suyfvtonjpfljzp.exe

MD5 f40d021f667626cd59354f793d9a3449
SHA1 cd9f9eb96e77169c171c86eb3a6c15771da57a1b
SHA256 336c05be13db5cc23242c8209941444c2a5e618b8a61c145bc5e5f0cd8071beb
SHA512 372fc8f708d8a68a30e149516e10f60200fad33af70b6905b6e235245b8d6a8e95a01de58beb29687ae84dd159cbc1f3c5bc4d7a2b40f2a4084e60f9073dda7d

C:\Windows\SysWOW64\hebcgyglhq.exe

MD5 09fc659f8575d010b28ce1ed2312bfc7
SHA1 0b3d849c6510227b6692b4c6a5ccd37c018a3f31
SHA256 ff142a8c69675b5e6add448c45c772e3c866119d88572e6ed9512eaf1917aca4
SHA512 a79f079dd7559021206c9d08a2a7ea6163550ece3ab21bcb3da36206efb3523f24c1481cb6bfa454abc27e8467b2fdc2ea1acbee6459cd3bb249151b7b279316

C:\Windows\SysWOW64\kagbshue.exe

MD5 54a491ca72c5a3883dd82051b63239a3
SHA1 8d7bf873dde81fad00493eb745f26ea6c55a5db0
SHA256 680d75dac46c9813e4ed5be5a1877dae36a5fe1a6ec2d905fa4ce999c06fdb18
SHA512 6421db42162a4925ece92a799de2f483fedd16682250966a4fa9d1437bd047f120889033476e685f87d50647b5bf3aea4a6e8b757bcc59125152cb0b3ff091bb

C:\Windows\SysWOW64\oswtidodsvtbb.exe

MD5 531d95d27437c01eff1a6bdffbd1946a
SHA1 8b683e6228abaf523ee60c1e4e0b372325951e30
SHA256 9d3d5f5296fa1f7e47b46ab5fcbdd42d2a5f6934bbefcbe17da78fb844e1304a
SHA512 ea60988c09d6a52689b1bf5054a141620c6251c0e57011e18e7e24a14877786e7136063838a0044bff0343f61817ddf7ca00880c54959187d3de891e6de7a7f7

memory/3552-35-0x00007FFDAD8F0000-0x00007FFDAD900000-memory.dmp

memory/3552-36-0x00007FFDAD8F0000-0x00007FFDAD900000-memory.dmp

memory/3552-37-0x00007FFDAD8F0000-0x00007FFDAD900000-memory.dmp

memory/3552-38-0x00007FFDAD8F0000-0x00007FFDAD900000-memory.dmp

memory/3552-39-0x00007FFDAD8F0000-0x00007FFDAD900000-memory.dmp

memory/3552-40-0x00007FFDAB7A0000-0x00007FFDAB7B0000-memory.dmp

memory/3552-43-0x00007FFDAB7A0000-0x00007FFDAB7B0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 cb7a94d02c814d42e0d36752d23604ff
SHA1 a3dc9b99402aad1776c01d4ac787c4fa6336ed20
SHA256 fc3e2de613545cf33019b5dce9be49db46e0f38b61012c7b81fefc396501e537
SHA512 4b808c4adbfb0a918850a0c1fe548ae9dec14b3b6fdb60f0215f5863d79e1d420b338cb171b74195bedc714dd3a0bd301f36b7cca8583491dea8fc57c26346a5

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 ac3c19dc9bd8b2ae189d8daab873823f
SHA1 5343e7bbcb81b83191ca463d3abbd2d63d1998a1
SHA256 d787005dfb839da132f6579d51afc9341d962f010cda3e62484c62a831426d13
SHA512 a7dca853af555973af0672356203c8ff9f94c774d7d764b0639578f316e948984fbdba036f7f6e2fc56994afaa021731636070dc5f60c5abcfb4c93f1526ac86

\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 2dfe26c67075f453141b745ee70b17f4
SHA1 91103d76e23f839a4ccb4bb10d667236935dc861
SHA256 cc92635b7a723eb2a19dad5089e99ce440d188095de5bc46a606c82a80116b0d
SHA512 6f7cf2a640a5b5aa17708e524b3091ca10f27413d097fb322691637acefc7339a386594933f650b3862b2f2c723ae3e56b0a288a60bd7076f5812d40f7eefbbd

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 35ed93c9d1943081b457791f60ceef00
SHA1 4fd7bcfcbaf899d6f0b760468d069646afad13d0
SHA256 4cb5d8b6ef064a0fbe2437aed96c2e133a4694e9436b69d159afb71de5f66161
SHA512 5c62476a2da0f8babffb6363d0378cc67f5b2ac993e2f2540cca12f28b40cb9c57517a0447f517ce48a90e375096f75110703be3f74b5c310910c99b262196ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 484e7de1461e24a632b70781ec4ab9e4
SHA1 50c72f2d808643a65b3619e62dd11c2086d437cd
SHA256 3d7d254adb25de22500f4af2a4df83c9bf564f16d0e7869d4ce4acb8d8cb7700
SHA512 e3d28e31094c2249e1cee14c621c669feda89f0001192b40e7c9161dd0efd169fbaa7cd60d66a3fdda5efa57370be5e9d7b93e1863b7675e512f9a77a54589c6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 85e534a9ba90bfebe3f6061233846f30
SHA1 125de2173a0cdff2d8cb15949dcb1b1b8e66e917
SHA256 ed6261ac7f255eeda080ed8915a05c1a4d472a744853ddfc48c8f061a5edd66b
SHA512 52ce62fcb06ffae001a1891f44e21e259e3de1234a5621f6d5aeac0c03dd9d879820eb5c1c2df1b6859f02dae65c7619fadf87d5b058aa571a20d132fee6c544

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 9a6e22ff774a145be3b890ed49d8a163
SHA1 aa7bd20b6eeaef222247b7784153da5a24dfc5d6
SHA256 e8b7cda9caa6cb620f4b6359e289ad8fdfa9837fe8ef4d3d5f951d1792d842c1
SHA512 67850fd31baffef702cbe6636674634873c53914ab52d56de2ba8599bc5106b37113ed753198bbabcbb429a1734b430a0dbdbf50cae1431bd2c948f99fed2b02

memory/3552-113-0x00007FFDAD8F0000-0x00007FFDAD900000-memory.dmp

memory/3552-114-0x00007FFDAD8F0000-0x00007FFDAD900000-memory.dmp

memory/3552-115-0x00007FFDAD8F0000-0x00007FFDAD900000-memory.dmp

memory/3552-112-0x00007FFDAD8F0000-0x00007FFDAD900000-memory.dmp