Malware Analysis Report

2024-11-16 13:21

Sample ID 240613-fq8qnsvfpe
Target a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118
SHA256 3c54fb6a04d8c840482fcdd37d3d8c04b2e9be7e0eb90794b206c158b3f4ab34
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c54fb6a04d8c840482fcdd37d3d8c04b2e9be7e0eb90794b206c158b3f4ab34

Threat Level: Known bad

The file a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Checks computer location settings

Windows security modification

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:05

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:05

Reported

2024-06-13 05:08

Platform

win7-20240611-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\wupojjqfjy.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wupojjqfjy.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jgbskykc = "wupojjqfjy.exe" C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otslvudb = "yvtpdzuucioxfij.exe" C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "croraalphcyie.exe" C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wupojjqfjy.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\wupojjqfjy.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\yvtpdzuucioxfij.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bautyzsg.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bautyzsg.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\croraalphcyie.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\wupojjqfjy.exe N/A
File created C:\Windows\SysWOW64\yvtpdzuucioxfij.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wupojjqfjy.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\croraalphcyie.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wupojjqfjy.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification C:\Program Files\SearchDisconnect.doc.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification C:\Program Files\SearchDisconnect.nal C:\Windows\SysWOW64\bautyzsg.exe N/A
File created \??\c:\Program Files\SearchDisconnect.doc.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification \??\c:\Program Files\SearchDisconnect.doc.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification C:\Program Files\SearchDisconnect.doc.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification C:\Program Files\SearchDisconnect.nal C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification \??\c:\Program Files\SearchDisconnect.doc.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bautyzsg.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bautyzsg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442D7D9D5083506A3676A177272CD87D8465AB" C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B12B4492389F52BEB9A733EFD7BE" C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\wupojjqfjy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wupojjqfjy.exe N/A
N/A N/A C:\Windows\SysWOW64\wupojjqfjy.exe N/A
N/A N/A C:\Windows\SysWOW64\wupojjqfjy.exe N/A
N/A N/A C:\Windows\SysWOW64\wupojjqfjy.exe N/A
N/A N/A C:\Windows\SysWOW64\wupojjqfjy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\bautyzsg.exe N/A
N/A N/A C:\Windows\SysWOW64\bautyzsg.exe N/A
N/A N/A C:\Windows\SysWOW64\bautyzsg.exe N/A
N/A N/A C:\Windows\SysWOW64\bautyzsg.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\bautyzsg.exe N/A
N/A N/A C:\Windows\SysWOW64\bautyzsg.exe N/A
N/A N/A C:\Windows\SysWOW64\bautyzsg.exe N/A
N/A N/A C:\Windows\SysWOW64\bautyzsg.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\yvtpdzuucioxfij.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A
N/A N/A C:\Windows\SysWOW64\croraalphcyie.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\wupojjqfjy.exe
PID 1724 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\wupojjqfjy.exe
PID 1724 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\wupojjqfjy.exe
PID 1724 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\wupojjqfjy.exe
PID 1724 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\yvtpdzuucioxfij.exe
PID 1724 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\yvtpdzuucioxfij.exe
PID 1724 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\yvtpdzuucioxfij.exe
PID 1724 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\yvtpdzuucioxfij.exe
PID 1724 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\bautyzsg.exe
PID 1724 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\bautyzsg.exe
PID 1724 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\bautyzsg.exe
PID 1724 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\bautyzsg.exe
PID 1724 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\croraalphcyie.exe
PID 1724 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\croraalphcyie.exe
PID 1724 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\croraalphcyie.exe
PID 1724 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\croraalphcyie.exe
PID 3000 wrote to memory of 2740 N/A C:\Windows\SysWOW64\wupojjqfjy.exe C:\Windows\SysWOW64\bautyzsg.exe
PID 3000 wrote to memory of 2740 N/A C:\Windows\SysWOW64\wupojjqfjy.exe C:\Windows\SysWOW64\bautyzsg.exe
PID 3000 wrote to memory of 2740 N/A C:\Windows\SysWOW64\wupojjqfjy.exe C:\Windows\SysWOW64\bautyzsg.exe
PID 3000 wrote to memory of 2740 N/A C:\Windows\SysWOW64\wupojjqfjy.exe C:\Windows\SysWOW64\bautyzsg.exe
PID 1724 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1724 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1724 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1724 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2500 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2500 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2500 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2500 wrote to memory of 848 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe"

C:\Windows\SysWOW64\wupojjqfjy.exe

wupojjqfjy.exe

C:\Windows\SysWOW64\yvtpdzuucioxfij.exe

yvtpdzuucioxfij.exe

C:\Windows\SysWOW64\bautyzsg.exe

bautyzsg.exe

C:\Windows\SysWOW64\croraalphcyie.exe

croraalphcyie.exe

C:\Windows\SysWOW64\bautyzsg.exe

C:\Windows\system32\bautyzsg.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1724-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\yvtpdzuucioxfij.exe

MD5 8631ee604a5423a6e2228a18b5c8032e
SHA1 9669de94544917873c9009bb640352429a465ba7
SHA256 6d1b8095ef2e104aae5286386d84a8fa42c835c4d30548e5a82a4767092d0e2d
SHA512 5aa7330f18d3de6faba548255705746650233dfbd5f5c99a1252ae7466cc3ec1ce958d3aa78805fd24587aa3dd4e2f90d13e8b382ec2ec84756be05db93c74ee

\Windows\SysWOW64\wupojjqfjy.exe

MD5 2834ed708f2e58cfe1b8563ea0ba2f5f
SHA1 b25a4a8a0f1d32775317a7feb110a74d0d36fe17
SHA256 d4fe340775fa94e7ffa163e3bd16062ecee2bea52efe7d32805756068f1b7738
SHA512 91c032271aef2d1b4d3ac67adb37e863b31eb5747f8d078fdf16d24f4a5d4b1379a539e74f39b6db8e130f150c4f5dc55616c80574fdbd931a48fa26530321a3

\Windows\SysWOW64\bautyzsg.exe

MD5 686abab8f18e4c92134da383d95bb963
SHA1 64d52ae142e78d952e19fa8be2ed524fe8f51743
SHA256 ac8206ee15b0c73d5ededf84f7ad4a6e4e3950b3a3a7e832266870452ce612a3
SHA512 8ab911a4898e950f74fcd1147e3df38bd3f5e302547a1ae2f101c5ca244703990d392895a19fab05e5121a2c295fd6bf85b38b270364c7db6483984558a5dfc9

\Windows\SysWOW64\croraalphcyie.exe

MD5 257fe2836e8420e6c23ad1d31b0f5de4
SHA1 ba1088300a29b31d21b45013f5e7f80dcddcf1e6
SHA256 f6b9b08a0d2f3b06ab2fb2cd75a427bedf318767ab999fa844bb77b7740ae9ea
SHA512 a753945971b74b24e380357864c9936d718da5b01c36af849a828b55b13498a517cd44eb1618a2594c64f02eddd51721346ea2ddf380730d2e30871a6f01982b

memory/2500-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 ada440e75563ce87902692a222cc5c96
SHA1 a89bb81b387ae35b09d21ecf2042b66377a864ce
SHA256 1bd481005c4f5ffadef9a59dd2fd2906d5b5599a8e31850efc95908f9d5e9fe9
SHA512 a39ac9080279fdb59b90cafa6f8816b68648f640d6e5c032ea3a70e8be1f8d86d19355ebb20e93093ae52d7a24105daeae3149dfaa9cbe803f264913238cedf0

memory/2500-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:05

Reported

2024-06-13 05:08

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfggzhxt = "jqlxcioyxl.exe" C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ovcfcbha = "pfecurgxbymnmbr.exe" C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bottaeqklxwog.exe" C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\t: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jqlxcioyxl.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File created C:\Windows\SysWOW64\jqlxcioyxl.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\jqlxcioyxl.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bottaeqklxwog.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File created C:\Windows\SysWOW64\pfecurgxbymnmbr.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pfecurgxbymnmbr.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\jyugodcx.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File created C:\Windows\SysWOW64\jyugodcx.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bottaeqklxwog.exe C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\jqlxcioyxl.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jyugodcx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\jyugodcx.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FAC9F913F1E384753A43869C3E99B08D03FD4365034EE1BA429B09A8" C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B0584492399E53B8BAD632EFD4CE" C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FF884F5F826E9140D75B7E94BDE6E147583066406331D7EA" C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302D799C2582576A3F76A070522DD77C8664AC" C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BB3FE1A21DFD17AD0A68B0E9011" C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC70C15E1DAC4B8BE7CE6ED9634C8" C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\jqlxcioyxl.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
N/A N/A C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
N/A N/A C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
N/A N/A C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
N/A N/A C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
N/A N/A C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
N/A N/A C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
N/A N/A C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
N/A N/A C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
N/A N/A C:\Windows\SysWOW64\jqlxcioyxl.exe N/A
N/A N/A C:\Windows\SysWOW64\jyugodcx.exe N/A
N/A N/A C:\Windows\SysWOW64\jyugodcx.exe N/A
N/A N/A C:\Windows\SysWOW64\jyugodcx.exe N/A
N/A N/A C:\Windows\SysWOW64\jyugodcx.exe N/A
N/A N/A C:\Windows\SysWOW64\jyugodcx.exe N/A
N/A N/A C:\Windows\SysWOW64\jyugodcx.exe N/A
N/A N/A C:\Windows\SysWOW64\jyugodcx.exe N/A
N/A N/A C:\Windows\SysWOW64\jyugodcx.exe N/A
N/A N/A C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
N/A N/A C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
N/A N/A C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
N/A N/A C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
N/A N/A C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
N/A N/A C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
N/A N/A C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
N/A N/A C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
N/A N/A C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
N/A N/A C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
N/A N/A C:\Windows\SysWOW64\pfecurgxbymnmbr.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\bottaeqklxwog.exe N/A
N/A N/A C:\Windows\SysWOW64\jyugodcx.exe N/A
N/A N/A C:\Windows\SysWOW64\jyugodcx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4772 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\jqlxcioyxl.exe
PID 4772 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\jqlxcioyxl.exe
PID 4772 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\jqlxcioyxl.exe
PID 4772 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\pfecurgxbymnmbr.exe
PID 4772 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\pfecurgxbymnmbr.exe
PID 4772 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\pfecurgxbymnmbr.exe
PID 4772 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\jyugodcx.exe
PID 4772 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\jyugodcx.exe
PID 4772 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\jyugodcx.exe
PID 4772 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\bottaeqklxwog.exe
PID 4772 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\bottaeqklxwog.exe
PID 4772 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Windows\SysWOW64\bottaeqklxwog.exe
PID 4772 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4772 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1200 wrote to memory of 2240 N/A C:\Windows\SysWOW64\jqlxcioyxl.exe C:\Windows\SysWOW64\jyugodcx.exe
PID 1200 wrote to memory of 2240 N/A C:\Windows\SysWOW64\jqlxcioyxl.exe C:\Windows\SysWOW64\jyugodcx.exe
PID 1200 wrote to memory of 2240 N/A C:\Windows\SysWOW64\jqlxcioyxl.exe C:\Windows\SysWOW64\jyugodcx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3ea1a5093a2290e1658a2da52746caf_JaffaCakes118.exe"

C:\Windows\SysWOW64\jqlxcioyxl.exe

jqlxcioyxl.exe

C:\Windows\SysWOW64\pfecurgxbymnmbr.exe

pfecurgxbymnmbr.exe

C:\Windows\SysWOW64\jyugodcx.exe

jyugodcx.exe

C:\Windows\SysWOW64\bottaeqklxwog.exe

bottaeqklxwog.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\jyugodcx.exe

C:\Windows\system32\jyugodcx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 2.22.144.9:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 9.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4772-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\pfecurgxbymnmbr.exe

MD5 cbe6223e828d895980a57ab4ebb5e810
SHA1 32edad3b2ddd84cc9ce58347acd85511ed510e65
SHA256 5823f57a7d8ea3a519a84ff58d20867219687180b382ea6df0fca1ea05796270
SHA512 c5f0ae106eb0eab6ec4084e730e45573c63886cfd16935e02f5f554b58fabcdd5311c79d9514ee6cae68d7d60a1a1e163bc49542b21b6fa021baeb1aa2dd3898

C:\Windows\SysWOW64\jqlxcioyxl.exe

MD5 05361c2044b07a563f253be94d339408
SHA1 4ddfb65b1cf77b6f9bd99b10b6752f63072bae27
SHA256 84f1b6cf97ac3b94863c22d7d0ed354e5d49a47387b1b45d11d279cc2bae26e3
SHA512 d3e4791cfef627a48793c0a4be0c82248c60dbd24e60906b133647fbd5967f54f8150bc9d07193b5fc7ac6c48a6f7a42f7929a9ffb9a79922da7d32afc1bbd29

C:\Windows\SysWOW64\jyugodcx.exe

MD5 1a276f7175294bda499336c5658905a7
SHA1 da28118e6b2655c68e3ad6acdb68cd54283fdfed
SHA256 2e75083223d51aacd2a50a266d0e7f3eb86351557e6a04cab20e4f087e220269
SHA512 d319bbbf285cb3b1622f54fad14194b1683ffce1b360be118608b399a58d7c2c1327e52a94d0e4beccc5f55e8f173c4d2e2131d3ed08e6c5ba6d7cd5eb560281

C:\Windows\SysWOW64\bottaeqklxwog.exe

MD5 b66c6fd144d67febebdc602849455c14
SHA1 6a98926b24b86d37d8d9e8d50bfbb0789f251df6
SHA256 e6ee40b43c246db4eb84ddd55944da63e477ead6211fc00e053d878cc2a5b519
SHA512 23a357f357d65c32d03e3bea2c403863e052f528877b74f4896d6d5e416634cad36e738b1acc021bc1622b32b9a7e314ec50b0a6372f867321badc354fcbf7cb

memory/884-35-0x00007FF920F90000-0x00007FF920FA0000-memory.dmp

memory/884-37-0x00007FF920F90000-0x00007FF920FA0000-memory.dmp

memory/884-36-0x00007FF920F90000-0x00007FF920FA0000-memory.dmp

memory/884-38-0x00007FF920F90000-0x00007FF920FA0000-memory.dmp

memory/884-39-0x00007FF920F90000-0x00007FF920FA0000-memory.dmp

memory/884-40-0x00007FF91E820000-0x00007FF91E830000-memory.dmp

memory/884-43-0x00007FF91E820000-0x00007FF91E830000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 c0b037cad970839decd9e5ea07832e58
SHA1 778e705e8177be45880d0d68b9d836965ae37bb0
SHA256 53a5056758f640c3f690b6f3caca2801a1cd0f72eaf3511357546abebb489102
SHA512 424aae9d3cdbbd9cd92592953a29206bdc16cf48140882b563a513d8025e359c5f6ce5760c04031f6bf9fb6906d70e62f80ff0de60a6c80d6bfed424b5b116ca

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 48902ecbddbcc206337ed961e9ee8db4
SHA1 064d517812929b2c375d583f879aa308f99b80b2
SHA256 09dd356d3b79c9b5787c0e8169330cbd530ad31cd9e4e4633ae3476c2b6716d0
SHA512 3330af72fa8af88fdd4653778cdc4f0029726578d5ccfa939c2e9b919d31d7d87592a4474d904fdf12731d4f668a7603a356f498a5a5ba2483d23f274408f1d6

C:\Users\Admin\Music\DisconnectUnblock.doc.exe

MD5 49549fd69d99ed9e367a16f4b160a951
SHA1 16850288d556984723b24a4d1075d3382e742584
SHA256 adf3eaac7f9f89299eb1cb6f851c3ebc321077e3be04648bdc2fc15ac1e5d76e
SHA512 4ada17c99d560beb0b27d024e08ce158e53640b99b009e50b440fc5de2f383f31fb755030933d1c21766caea1abcd4b07679fba933a32a57c70b56ea6ccbe819

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 1aeb3009ef23dcf9e320943b9b9dee28
SHA1 4696f12a366bc3d32c87e10c5ea54b7de3296413
SHA256 9d2440724be8e9292bc72ce9eba8b99880f6011378abfb03649dd8a8df7e239b
SHA512 6c7ba78aa47ff614d64da929fd27f9b8bcf950d0086af14454aef3e2ec96d8cb4b5b39f4395b4851a9afc1b449e68c77047fd249520934427d898a19a29c47dd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 609bcd4c82e7221c598200f59d528a44
SHA1 b2694d936898dcf9e821514b89ef14927ededa05
SHA256 36543cebc0839323501e92ee1b4460e13017025b0a38bd4045bc081b90b7f622
SHA512 a8d0ff02c3b98b40c8ae4ac76b41b2f93fdad6fa9b030a5248faf97f956f1076706702e931fb6bbe35dd6511e4dae55d74bac4528e7d98570d49f7e8c45be37e

C:\Users\Admin\AppData\Local\Temp\TCDA192.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 fc08844c6f7ff29e354b6746207d3d4e
SHA1 18b83639368b4279149f3c48934457bd3ff26363
SHA256 c977b54fd6088a6b9658cb40045e43c0f10e831c73759946ebbc85a41d59d927
SHA512 778c7a01e3ed4fcbaee640a86ddf770881a690df42d72126b8e4433bf9d1f264ccd3a40d2a2ae9af0514e93841af6ca23c963cdfc5ffe9dcaa23f223f1bb0b3b

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 97905542b08b60d1b02624885d05496e
SHA1 b23a73da7739cb730ad4780bd76731340d3c4549
SHA256 136c3bc438e84625d252ce0d42588c2170db342d53de81472a1b0dadb6677fba
SHA512 4740ccabf2284d49ea6433a90aedf40387d0c9563519477206be82cf54ab2b87ae8510f19a4f4626fcddb2b4f6d07333e268172974f25cd307f41be447fb0787

memory/884-602-0x00007FF920F90000-0x00007FF920FA0000-memory.dmp

memory/884-603-0x00007FF920F90000-0x00007FF920FA0000-memory.dmp

memory/884-604-0x00007FF920F90000-0x00007FF920FA0000-memory.dmp

memory/884-601-0x00007FF920F90000-0x00007FF920FA0000-memory.dmp