Malware Analysis Report

2024-11-16 13:21

Sample ID 240613-f3dfaswajg
Target a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118
SHA256 c263705c9fbdbea155b32e6ed9d7226184472ab306618abbe868f1ac42c206a5
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c263705c9fbdbea155b32e6ed9d7226184472ab306618abbe868f1ac42c206a5

Threat Level: Known bad

The file a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Windows security modification

Reads user/profile data of web browsers

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:23

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:23

Reported

2024-06-13 05:26

Platform

win7-20240508-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\xzlxjewrua.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\erdljuue = "xzlxjewrua.exe" C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sgbxuhtw = "wjtnbwvciiqueui.exe" C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mbjzzegevbcki.exe" C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\mauydhil.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\xzlxjewrua.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\xzlxjewrua.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\xzlxjewrua.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wjtnbwvciiqueui.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mauydhil.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mbjzzegevbcki.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File created C:\Windows\SysWOW64\wjtnbwvciiqueui.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mauydhil.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mbjzzegevbcki.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\mauydhil.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\mauydhil.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322D0D9C2582576A3676D577212DDC7CF464D8" C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B12B449238EB53CABAA1329CD7CA" C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9FABEFE10F197830B3A46819D3992B0FD02FD4269023CE1CB459E08A3" C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\xzlxjewrua.exe
PID 1904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\xzlxjewrua.exe
PID 1904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\xzlxjewrua.exe
PID 1904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\xzlxjewrua.exe
PID 1904 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\wjtnbwvciiqueui.exe
PID 1904 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\wjtnbwvciiqueui.exe
PID 1904 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\wjtnbwvciiqueui.exe
PID 1904 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\wjtnbwvciiqueui.exe
PID 1904 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mauydhil.exe
PID 1904 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mauydhil.exe
PID 1904 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mauydhil.exe
PID 1904 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mauydhil.exe
PID 1904 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mbjzzegevbcki.exe
PID 1904 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mbjzzegevbcki.exe
PID 1904 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mbjzzegevbcki.exe
PID 1904 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mbjzzegevbcki.exe
PID 1576 wrote to memory of 2336 N/A C:\Windows\SysWOW64\xzlxjewrua.exe C:\Windows\SysWOW64\mauydhil.exe
PID 1576 wrote to memory of 2336 N/A C:\Windows\SysWOW64\xzlxjewrua.exe C:\Windows\SysWOW64\mauydhil.exe
PID 1576 wrote to memory of 2336 N/A C:\Windows\SysWOW64\xzlxjewrua.exe C:\Windows\SysWOW64\mauydhil.exe
PID 1576 wrote to memory of 2336 N/A C:\Windows\SysWOW64\xzlxjewrua.exe C:\Windows\SysWOW64\mauydhil.exe
PID 1904 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1904 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1904 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1904 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2760 wrote to memory of 2128 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2760 wrote to memory of 2128 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2760 wrote to memory of 2128 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2760 wrote to memory of 2128 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe"

C:\Windows\SysWOW64\xzlxjewrua.exe

xzlxjewrua.exe

C:\Windows\SysWOW64\wjtnbwvciiqueui.exe

wjtnbwvciiqueui.exe

C:\Windows\SysWOW64\mauydhil.exe

mauydhil.exe

C:\Windows\SysWOW64\mbjzzegevbcki.exe

mbjzzegevbcki.exe

C:\Windows\SysWOW64\mauydhil.exe

C:\Windows\system32\mauydhil.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1904-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\wjtnbwvciiqueui.exe

MD5 52048985477a503b9067b7ac1de6e004
SHA1 6be9cbacd0838395976d6f684e70ca29df1e9bdf
SHA256 ce7f340480b4e5622c7f8fe59746074d957f0596e0a612efcdf5aa357cb0a16c
SHA512 998d3ba3fd5acfb5a154d6721598ec34f194872101dc78e94d6ee1a7ec86bc7e255b1e5262c5da669eb93199d2cf15e7a1b0a75375781c49e5b40e30a6dbaa37

\Windows\SysWOW64\xzlxjewrua.exe

MD5 d7bdf5a51ce21c4a7cdf8ba3bc457f30
SHA1 66c19ade601e74b61444c5dabb28d3e99476598d
SHA256 b88f792a8db41adb0897ca8c1fdaa77c0fecc09689f9e78442fc8cf6510f30cd
SHA512 b49be2b71e5bb720083ec052adc3d6c08320770f4776a385cb194d3704c70ba66b7f9ad52b5658316cc7b8abebd1251e74306342f1cfc3616d0960b49ef51ebb

\Windows\SysWOW64\mauydhil.exe

MD5 423d982fd1d161841bca84dcfcd38377
SHA1 a572e0e6e732678fc53e4d8467e946d287ecff51
SHA256 1649f5754b7130ed16e127ef7e8a1d3f3d11b8b92c26d7fc4af5721ee8d1ad66
SHA512 fec4aae287bea1b24d68dff269d8c7770646c58ae27702b3be27b6a2340e4910c6ac04496f7443298028ce5de731fe3832256484094b54c3b4a65d98102b614f

C:\Windows\SysWOW64\mbjzzegevbcki.exe

MD5 8858e8d8c52098757a742b0c27614c5b
SHA1 62db79cd30554bbbfdbf23ff72a280b3f61c7dd9
SHA256 0cf845ace679f00676cdb220ca18e5fae80fcc688f0472ad6ec4aff266fe4d68
SHA512 0347433dbca9cbb719ec6007b76a5e11ad8c0ab3652491aa92e1065e74f554da274fa0cb7674cb44f7df31f95f874d35d0b1accbe1ccffdfcf6743153795c6b7

memory/2760-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 874e019bc9008ac226326c0d074b9f81
SHA1 597bcdedb9d86378558160c8467751a1b875f151
SHA256 e940a24425cf0b28e574de81b129e9b98552837f512cba775d3e1fb20a50369b
SHA512 3fb300a2cb9b3d88fcae8433ed3bbe5a8da7c07791d3c8b294b8f45c789de474746da24b08c36209f7e5ddc051f54404e7815f6f1d2bd01c963c39fb848f5baf

C:\Users\Admin\Documents\SwitchUndo.doc.exe

MD5 6f6092b1b34f798e0bbf1157094501b0
SHA1 af536b248d5e7ec869a646977ad6933ada36ebb0
SHA256 c5f2fd35bfec81c756e326ab9e3898bd7066b07869d5ba52493554b2b15d3f8e
SHA512 12b76fb5f8a34ec0744f2b45964d73e53880b057fd33ccc5e98c2e58f06a6bc345daf1662a2c73cd4e69b09bf12ac5b899848e5eced24db8bdd0b604cd6331d5

memory/2760-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 b8e20bddce0f1530a3fab81bb24ff801
SHA1 7120153a3ae664b2bb25e96ab7f4b385ba3dfba9
SHA256 c7aede6fab160528477b11c54fd7790fb7948d3f74ef43b488fc4f4d1c7c605c
SHA512 226f62a44092b4169eaf87229421ef61e980c688dcb7facd20cd4a887dc9d9e2805fcbf89c29f10fe15d37eee71f0bb48e7ae93f006c44bf5f1900a4289facc9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:23

Reported

2024-06-13 05:26

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\xzlxjewrua.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\xzlxjewrua.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mbjzzegevbcki.exe" C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\erdljuue = "xzlxjewrua.exe" C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sgbxuhtw = "wjtnbwvciiqueui.exe" C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\mauydhil.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\xzlxjewrua.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\xzlxjewrua.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\xzlxjewrua.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wjtnbwvciiqueui.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mauydhil.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mbjzzegevbcki.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mbjzzegevbcki.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Windows\SysWOW64\xzlxjewrua.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wjtnbwvciiqueui.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mauydhil.exe C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\xzlxjewrua.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\UnpublishAdd.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Program Files\UnpublishAdd.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files\UnpublishAdd.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files\UnpublishAdd.nal C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\mauydhil.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\mauydhil.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFFFC482A821B9032D75B7D92BD93E634594567446335D79D" C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322D0D9C2582576A3676D577212DDC7CF464D8" C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9FABEFE10F197830B3A46819D3992B0FD02FD4269023CE1CB459E08A3" C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468B7FE1B21ABD27AD1D28B7C9116" C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC60F15E0DBB3B9C17C95ECE537CE" C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B12B449238EB53CABAA1329CD7CA" C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\xzlxjewrua.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\xzlxjewrua.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\wjtnbwvciiqueui.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mbjzzegevbcki.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A
N/A N/A C:\Windows\SysWOW64\mauydhil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\xzlxjewrua.exe
PID 3920 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\xzlxjewrua.exe
PID 3920 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\xzlxjewrua.exe
PID 3920 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\wjtnbwvciiqueui.exe
PID 3920 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\wjtnbwvciiqueui.exe
PID 3920 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\wjtnbwvciiqueui.exe
PID 3920 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mauydhil.exe
PID 3920 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mauydhil.exe
PID 3920 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mauydhil.exe
PID 3920 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mbjzzegevbcki.exe
PID 3920 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mbjzzegevbcki.exe
PID 3920 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Windows\SysWOW64\mbjzzegevbcki.exe
PID 4416 wrote to memory of 4420 N/A C:\Windows\SysWOW64\xzlxjewrua.exe C:\Windows\SysWOW64\mauydhil.exe
PID 4416 wrote to memory of 4420 N/A C:\Windows\SysWOW64\xzlxjewrua.exe C:\Windows\SysWOW64\mauydhil.exe
PID 4416 wrote to memory of 4420 N/A C:\Windows\SysWOW64\xzlxjewrua.exe C:\Windows\SysWOW64\mauydhil.exe
PID 3920 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3920 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3f8b7fc33ff03b89841d76533fb2c6d_JaffaCakes118.exe"

C:\Windows\SysWOW64\xzlxjewrua.exe

xzlxjewrua.exe

C:\Windows\SysWOW64\wjtnbwvciiqueui.exe

wjtnbwvciiqueui.exe

C:\Windows\SysWOW64\mauydhil.exe

mauydhil.exe

C:\Windows\SysWOW64\mbjzzegevbcki.exe

mbjzzegevbcki.exe

C:\Windows\SysWOW64\mauydhil.exe

C:\Windows\system32\mauydhil.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.184:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 9.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

memory/3920-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\wjtnbwvciiqueui.exe

MD5 345260700372e8aa56748d12bf9980c1
SHA1 bcf0179b4bd845792ee48a87603a36fff69f86d3
SHA256 3d6a67d8ee3a10f496638fb07965177d8401d9752eacc1cfbe93123efc5eef1a
SHA512 2eb1baa7c758a6a4732760b944347b29527244e9c6b6f04168d36cc28047828fda6682208ccd70f324ed8582f0022cb8e0a75a90481501f6afd42962815a672e

C:\Windows\SysWOW64\xzlxjewrua.exe

MD5 5b01095308dca953f9988126b3956674
SHA1 8cae7b0723ea001ea8105851a2c66aae78c687e6
SHA256 0c61f0464afeb2a86b24a5b7b7b4d9d5c13ffae98971be3e195c49ad7cec93c0
SHA512 d943bacbd29f3c10d5bdc289709e89b0f3ec521acbe8ef24d7c0c0a9c17b0368ac7553dc901ca74cb4201ddd0286c5daa9413fa55246ecbf4a1b45da909087ba

C:\Windows\SysWOW64\mauydhil.exe

MD5 e2731ecd6bbb7c96a02f712a57484267
SHA1 ff884ff6565e6a5af039061e2d475b2df51b9197
SHA256 25f6144e91a11e9ef20838f212b4f0ca550c716da4cd63ad6b53c5c2c7c09280
SHA512 1dcef3f4e89029c8ab66c1cdfc2712f6186a6913189f170e8058234fee26a0b8e02d23028d3b543a47c1b743e914e7c734eefaf9e87de43b893207a057bbe46f

C:\Windows\SysWOW64\mbjzzegevbcki.exe

MD5 b525dfea1d259f10002bd446a83c844e
SHA1 3c52756f93f42098fd77657cfe6b572269c95424
SHA256 f46cb9830b7b92c9ea4a8a0bae8aec7c820b24b780eedc76e9a76fe59d1c3e1a
SHA512 287c7bfa1521ee7a75c6584700c8606cac08c839380cdb2acd4f96cd8679de1b6c117e8a74fdb941b41a2c379e883a1fbbd8037d59e4d84986e8db5cba3342ee

memory/3556-37-0x00007FFBDBAB0000-0x00007FFBDBAC0000-memory.dmp

memory/3556-39-0x00007FFBDBAB0000-0x00007FFBDBAC0000-memory.dmp

memory/3556-38-0x00007FFBDBAB0000-0x00007FFBDBAC0000-memory.dmp

memory/3556-40-0x00007FFBDBAB0000-0x00007FFBDBAC0000-memory.dmp

memory/3556-41-0x00007FFBDBAB0000-0x00007FFBDBAC0000-memory.dmp

memory/3556-42-0x00007FFBD9870000-0x00007FFBD9880000-memory.dmp

memory/3556-43-0x00007FFBD9870000-0x00007FFBD9880000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 13bcfc6ae407c275916eaf4c297c38ea
SHA1 f0a980086c6a86077a637d0c1465afedd2f2d18c
SHA256 23cb6f73b7c4806eb7536b297f4578c1188845494cbbd1e53c696a0c4afd345b
SHA512 7925f8ad4c912140557f9c28ea23cc84a96f66598fd808dfe97c826e3d9993833a273a661b9886214212bcfb3fa6003f1ab7e14d9f91b79099c92a7330a47f65

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 473f8f74a3d31cf6fef7350587220cf2
SHA1 455aade3b7069ff8a6106a9dbf1f7b2f93d69a85
SHA256 f9cfa24b88c663d3a4c3160e6a72f6c582583ee07ac0a2b97f7431322d30e0b8
SHA512 2bbff6f4869242505adcdc96bd7fc6836432cf0e8e1d2b428a2a453e6c681faa5fe63cb984c1c6a2ace55ac3a771828e8258eb750e0f9974ccb0e7407209c80f

C:\Users\Admin\Documents\WaitStop.doc.exe

MD5 5e3d38c49e1631c1c3ddb802e5e9cd51
SHA1 dc860d05c9f0c470234d0947dfc0f42b1f040e0a
SHA256 1b2517782f4eb4e7637732b915d2d4a3cdb5562655973ed7a74150c331106bb1
SHA512 be485f9b48d2680afb6f35382210d77ca0dc2995ee5bfcb84fc3e5081d9adc00fe2f6efef23f2c5bde8d650ad8b10b1a2b409ba6d75d46c8ca5260a387c908fd

C:\Users\Admin\Downloads\UninstallResume.doc.exe

MD5 80ac2baed5725b950ba6a42fbe940dd8
SHA1 674078d4c8851ae8e602aa9d7ea555e6a90d2a02
SHA256 eb3a629dd7144755ab6db2111cd7b764bc741c91700dba6976a23e15c2c7191e
SHA512 125dee8af88f41c58d17f109562ec9884b948a17fc19a53d94bb8b677887c95a4f11ad119abf6084de67dfbd7779132eb203d28aa7bcf89bdc77846afe69d75f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 074644b08acaebd0bf8bb3555f125ef1
SHA1 9ba5b40379554d581883508a6fd3513004f97b73
SHA256 ea7dd772f21e6491bacb3057450c1a561cd3d524a1b30d94bc1145bf1c9894c6
SHA512 00f189a55bed1e1530c6409ebba0d287986f333337591d8378f86cc8be9a9384f2bf3927ebdb6aa0e9b707606d922254b325d8432f630a92e4ec981a33ba90c6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 37a1f85aca8d927303b0ec90dc73bfaf
SHA1 3ce18b5fc2dd683e7d10150966eef3adaedafcec
SHA256 19c1ddcb86d84e45cbe65d13c93e846f65ec9cd2bef27fbd44432db7746ea2e2
SHA512 5b48e86583e1da1b170a3064de2eaa2f70cd17c80957bcaf8f23d5c460808e4f1ae7276789d53220fa5e07f2543249a8d67b810593427972db40b8dae11ac053

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 1960a1875969e2c55575c0eb24ff1496
SHA1 6cb9a512aa5689460e067fafd7140246ed2c0164
SHA256 6de6deaf2757de4dae4c39e3630041dca9d99c39b94792238da1e77a64360a47
SHA512 e586f1f60ea5fab242ac8d812ce0581e8d906b9a69e3742102761d2c8f4a5a89b86989be3f15f6ca05854efc903d057175ad81a7e1fb27ae6cf1f1b210dd57fd

C:\Users\Admin\AppData\Local\Temp\TCD7704.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 24ea0c491597344072f8b330af464678
SHA1 7e7c82910152ab82e311838413c3bf87ed7aa904
SHA256 2ebf4ac1003b01e9afc83bb5b8103664f59625fed0c8924724f5c4f1291c76a2
SHA512 74a8e01224e8b219df59b3e7a4e6749000a79b9aca9d2cc5cccef23274b73e88a01536165f329f6098c6550a8a0290dac8fec27c5e7e8956c34f62a0c27363c5

memory/3556-601-0x00007FFBDBAB0000-0x00007FFBDBAC0000-memory.dmp

memory/3556-604-0x00007FFBDBAB0000-0x00007FFBDBAC0000-memory.dmp

memory/3556-603-0x00007FFBDBAB0000-0x00007FFBDBAC0000-memory.dmp

memory/3556-602-0x00007FFBDBAB0000-0x00007FFBDBAC0000-memory.dmp