Malware Analysis Report

2024-11-16 13:22

Sample ID 240614-e2mf5svenh
Target a80146d37720556f31322741b751257a_JaffaCakes118
SHA256 0dbc72585b456a451d16e64a461fd6c44af43948ad9e9301ac9e52ea061aaf98
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dbc72585b456a451d16e64a461fd6c44af43948ad9e9301ac9e52ea061aaf98

Threat Level: Known bad

The file a80146d37720556f31322741b751257a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Modifies Installed Components in the registry

Disables RegEdit via registry modification

Checks computer location settings

Windows security modification

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Modifies WinLogon

Enumerates connected drives

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:26

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:26

Reported

2024-06-14 04:28

Platform

win7-20231129-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pjrcaggwrkgsz.exe" C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\migvijkg = "jtmoqdlhbv.exe" C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tlemwnib = "nafazwvwzrtodpa.exe" C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\pjrcaggwrkgsz.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pjrcaggwrkgsz.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
File created C:\Windows\SysWOW64\nafazwvwzrtodpa.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\nafazwvwzrtodpa.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rkdxhkri.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rkdxhkri.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\jtmoqdlhbv.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\jtmoqdlhbv.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rkdxhkri.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\rkdxhkri.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rkdxhkri.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\rkdxhkri.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rkdxhkri.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF8D4F5D85129140D7207D92BC95E630593567406246D69E" C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBFACCF96BF198847A3A46819D3E96B3FC038F42130349E1CA459908D2" C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
N/A N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\nafazwvwzrtodpa.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\pjrcaggwrkgsz.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\SysWOW64\rkdxhkri.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\jtmoqdlhbv.exe
PID 2784 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\jtmoqdlhbv.exe
PID 2784 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\jtmoqdlhbv.exe
PID 2784 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\jtmoqdlhbv.exe
PID 2784 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\nafazwvwzrtodpa.exe
PID 2784 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\nafazwvwzrtodpa.exe
PID 2784 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\nafazwvwzrtodpa.exe
PID 2784 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\nafazwvwzrtodpa.exe
PID 2784 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\rkdxhkri.exe
PID 2784 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\rkdxhkri.exe
PID 2784 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\rkdxhkri.exe
PID 2784 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\rkdxhkri.exe
PID 2784 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\pjrcaggwrkgsz.exe
PID 2784 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\pjrcaggwrkgsz.exe
PID 2784 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\pjrcaggwrkgsz.exe
PID 2784 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\pjrcaggwrkgsz.exe
PID 2196 wrote to memory of 2864 N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe C:\Windows\SysWOW64\rkdxhkri.exe
PID 2196 wrote to memory of 2864 N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe C:\Windows\SysWOW64\rkdxhkri.exe
PID 2196 wrote to memory of 2864 N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe C:\Windows\SysWOW64\rkdxhkri.exe
PID 2196 wrote to memory of 2864 N/A C:\Windows\SysWOW64\jtmoqdlhbv.exe C:\Windows\SysWOW64\rkdxhkri.exe
PID 2784 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2784 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2784 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2784 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe"

C:\Windows\SysWOW64\jtmoqdlhbv.exe

jtmoqdlhbv.exe

C:\Windows\SysWOW64\nafazwvwzrtodpa.exe

nafazwvwzrtodpa.exe

C:\Windows\SysWOW64\rkdxhkri.exe

rkdxhkri.exe

C:\Windows\SysWOW64\pjrcaggwrkgsz.exe

pjrcaggwrkgsz.exe

C:\Windows\SysWOW64\rkdxhkri.exe

C:\Windows\system32\rkdxhkri.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

Network

N/A

Files

memory/2784-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\nafazwvwzrtodpa.exe

MD5 3485b4b1d4cbc82c994c4ec79b085a0d
SHA1 4a2d07134eebc5a913a91b994ad05623f3afd562
SHA256 fe44ba77d77ca580efd210c63ba6800d20e3ec0a6bade520cc899750fb4e4a6f
SHA512 7d205cfa53d4c7bf4272cdc24df5dbd2f9257e45006fd98c84a7548d986ea1b8db5f3470d533afd20a47c7f2be149eff1bfb079e4923d84e3193af14b964a157

\Windows\SysWOW64\jtmoqdlhbv.exe

MD5 8b3c0f6977193d3b3c035166b13d13ea
SHA1 0a3ca770fe8c55c1e7a039a799dc0fa0d55122e3
SHA256 0836dbca46bb358db21a6d441aa14bce41807606991bc17564a2a3a60dd8ff13
SHA512 ab0c4a0cc7608a202c0e58c84934d0578c6e353b3a712aea5fbf89d04e062b2e58e52906667c880da1dea53992d7bec55d894c18067524307837f73406e2895f

\Windows\SysWOW64\rkdxhkri.exe

MD5 56b12549e08a180b57a3c82c3303f14e
SHA1 7a60e212c3434ca3cfd5cda7b0dbc3d3fbe1c0e9
SHA256 81904fe2e2435a1300e56bf1905002284016a4809a16386733fd0eb1d112fe37
SHA512 76ae4b4aba90f4281121c2b036200c15a6ba9aa715e1cb3f4c44ad5b0344647422dd8eeccbd9676b081677836dc5cf34d3fd0d2b776d3aa7ad1023754e70f986

\Windows\SysWOW64\pjrcaggwrkgsz.exe

MD5 cd9f30612480793a6dd1e4728173068a
SHA1 7aee0c472f87a4707f953a709e65450bc83ec5cd
SHA256 89beee5672a94371aaee7eca295acf4058e7fcd8a12e07d9ed485b68703767c5
SHA512 e2558f1072b5aafa76bdd84fedd1299f34384c79e2c478a8d2dea218717828d857ab8916fcd3217cd69a9d3b6c2e149e6355bb1c917443b50ab66dd7015a8c93

memory/2596-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 92f6005c94e7e7cd97a0f4f01b533e3a
SHA1 623885b37b22498362658f7d6287b721b07405dd
SHA256 22080aceaafd79b42372e17bd7e498bcf00acd20b804649de41a6b7efe8a2236
SHA512 62540186746ca9d1b4e7af4a6bcadcc8934f69673497c8f92c77f48f40912d1da2b922ebd980fae0e38eef87103c369d497ff3e1fc2dc4b69edbbb451e19208a

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 d6205d491d20cdd4db161941997b9912
SHA1 f169ca4e83fbb34bf8f33e9155a95258e0faee1c
SHA256 f2808779322d1e0252119f335e426dec7319dce4b6abaf84a3e8dc52d2f63095
SHA512 05aa7419391a3966bbec86b41ee7e6fa78e73d07819c85e40a42938f1bae4fd23f4d8c5a99f75843ac701aa857da79136265801a781e237594d0cda285dbb84a

memory/1752-79-0x00000000029A0000-0x00000000029B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:26

Reported

2024-06-14 04:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\reaysacm = "kkzvzpvypz.exe" C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rrpfppgi = "eiimyumrfuwzziz.exe" C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kqycnkylakphq.exe" C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\kkzvzpvypz.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\eiimyumrfuwzziz.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\eiimyumrfuwzziz.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File created C:\Windows\SysWOW64\vlrcxhud.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vlrcxhud.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File created C:\Windows\SysWOW64\kkzvzpvypz.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kkzvzpvypz.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kqycnkylakphq.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kqycnkylakphq.exe C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\vlrcxhud.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vlrcxhud.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C0A9D2382596D3677D077202DD77C8E65AA" C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BB0FE1C22D1D173D0D68A7A9167" C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C70814E2DAC4B9BB7FE4EDE034B9" C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFFABDF964F19484793A4486963E93B08903F142160233E2C442E909A0" C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B15F4497399A52BDBAA133E9D7BB" C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFCF94F2985129136D72C7E9CBDE1E133593566476336D6EC" C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\kkzvzpvypz.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\kqycnkylakphq.exe N/A
N/A N/A C:\Windows\SysWOW64\kqycnkylakphq.exe N/A
N/A N/A C:\Windows\SysWOW64\kqycnkylakphq.exe N/A
N/A N/A C:\Windows\SysWOW64\kqycnkylakphq.exe N/A
N/A N/A C:\Windows\SysWOW64\kqycnkylakphq.exe N/A
N/A N/A C:\Windows\SysWOW64\kqycnkylakphq.exe N/A
N/A N/A C:\Windows\SysWOW64\kqycnkylakphq.exe N/A
N/A N/A C:\Windows\SysWOW64\kqycnkylakphq.exe N/A
N/A N/A C:\Windows\SysWOW64\kqycnkylakphq.exe N/A
N/A N/A C:\Windows\SysWOW64\kqycnkylakphq.exe N/A
N/A N/A C:\Windows\SysWOW64\kqycnkylakphq.exe N/A
N/A N/A C:\Windows\SysWOW64\kqycnkylakphq.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A
N/A N/A C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A
N/A N/A C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A
N/A N/A C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A
N/A N/A C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A
N/A N/A C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A
N/A N/A C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A
N/A N/A C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A
N/A N/A C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
N/A N/A C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
N/A N/A C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A
N/A N/A C:\Windows\SysWOW64\eiimyumrfuwzziz.exe N/A
N/A N/A C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
N/A N/A C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
N/A N/A C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
N/A N/A C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
N/A N/A C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
N/A N/A C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
N/A N/A C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
N/A N/A C:\Windows\SysWOW64\kkzvzpvypz.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A
N/A N/A C:\Windows\SysWOW64\vlrcxhud.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4944 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\kkzvzpvypz.exe
PID 4944 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\kkzvzpvypz.exe
PID 4944 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\kkzvzpvypz.exe
PID 4944 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\eiimyumrfuwzziz.exe
PID 4944 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\eiimyumrfuwzziz.exe
PID 4944 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\eiimyumrfuwzziz.exe
PID 4944 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\vlrcxhud.exe
PID 4944 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\vlrcxhud.exe
PID 4944 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\vlrcxhud.exe
PID 4944 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\kqycnkylakphq.exe
PID 4944 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\kqycnkylakphq.exe
PID 4944 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Windows\SysWOW64\kqycnkylakphq.exe
PID 4944 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4944 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2880 wrote to memory of 976 N/A C:\Windows\SysWOW64\kkzvzpvypz.exe C:\Windows\SysWOW64\vlrcxhud.exe
PID 2880 wrote to memory of 976 N/A C:\Windows\SysWOW64\kkzvzpvypz.exe C:\Windows\SysWOW64\vlrcxhud.exe
PID 2880 wrote to memory of 976 N/A C:\Windows\SysWOW64\kkzvzpvypz.exe C:\Windows\SysWOW64\vlrcxhud.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a80146d37720556f31322741b751257a_JaffaCakes118.exe"

C:\Windows\SysWOW64\kkzvzpvypz.exe

kkzvzpvypz.exe

C:\Windows\SysWOW64\eiimyumrfuwzziz.exe

eiimyumrfuwzziz.exe

C:\Windows\SysWOW64\vlrcxhud.exe

vlrcxhud.exe

C:\Windows\SysWOW64\kqycnkylakphq.exe

kqycnkylakphq.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\vlrcxhud.exe

C:\Windows\system32\vlrcxhud.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/4944-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\eiimyumrfuwzziz.exe

MD5 71fba7b1f7612ce86eea08193fc869b1
SHA1 4e22b1bf793b5543b38f4f714cd87d0b0b3efef3
SHA256 4dc1f336e1485bb917bc3d286c65b77d2c9bd7100303b934e3544e3b5f4cca4f
SHA512 ff87274716f7d866924eca64039774751c0e67c9acb3aa6858f6462088c716c13d98a1a8eee4328143fc427ba036e3b734b3e844bae0cfd3262872564e2d1ff2

C:\Windows\SysWOW64\kkzvzpvypz.exe

MD5 38933ec4fffbde6e6a547cb0b7a45d70
SHA1 a1ce56c75af303bf17b4b1d91bb870d3d0354166
SHA256 0fc2ca4691dfe22b1dcc5735b8a29909997ef3229f1af7b180e11036fd39d122
SHA512 23173988f2b12e12d5ee914f393379e539aa17deaa785508cb70d74cecc4067909f56562a2569196db48417a88c0906f7542fe34edbf59982203372d2104d6b1

C:\Windows\SysWOW64\vlrcxhud.exe

MD5 10c670b1b105d0aa723911d98547547d
SHA1 c5beac3fe522be1865b0bbd9340531f93f70b176
SHA256 d0bf0a261776a72aa6e5e1358664330449bbef9048c90318bd02e0bcbaf3c15d
SHA512 23a57427d50360dcfec2e81d1991a66dbe690d09e412a84d8a629e412b3ee6356e778fafa6c0744ca13d7b1de8987ad9969dc3fc18ec57e3e425b1463fa949ed

C:\Windows\SysWOW64\kqycnkylakphq.exe

MD5 45dfcee772e69309e612717f3d102af6
SHA1 c2008dd6e7e6c5c41fa86728b68bca39ebaa58f8
SHA256 e65df76ec5dd585732d5da294d2026571f9d62877bcd7843d02248cadc926cae
SHA512 82dba300f6198a4a7188903b5959f0aa1fb314a714f55fccdc762fad48e4a34bd729ed186387121d8dc8973bfd72f4b2963f9ac8b47bb09e4aa49ead474da9a1

memory/116-35-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

memory/116-36-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

memory/116-37-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

memory/116-38-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

memory/116-39-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

memory/116-40-0x00007FFD3CB80000-0x00007FFD3CB90000-memory.dmp

memory/116-42-0x00007FFD3CB80000-0x00007FFD3CB90000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 2fae0fe44fb67ed515b21a2b6fba40e3
SHA1 d39c4cb134c596851c157406149129a69844613b
SHA256 bd528b67c4e7b5924426cb6edc6bd85896db3a43e596bc76d32632d33eccc2b1
SHA512 9902e514810847d11b83ceb64209c7a363f3b482f5444474673988fa0729295d8612ae6aa0d81a09d9adeb958f7e0251b414ef808f82f279df504bc04a347087

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 cfd6230f88f2f44543605b8a6a7652f6
SHA1 dc91354b537ad999b095b9510c20e4fffc56bd98
SHA256 c22821fa4cabe3a9c4b7cee357f42c23f88eab6905bfa3385bab0cb58253ab66
SHA512 ae1f55076f18e2610294e7b0c52c8182f3678b39422f2a79c4240f9a3f37bc41600c6e3c9f9e349350fb7bdb0f78df0da4d9a6aa048dcffbc8d84b6f9b6fd936

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 2ec3eae643e0211c845255c0ec06bd41
SHA1 712535bee177afe54dbb54f852f772cceb92649c
SHA256 c74bf335ccbfdfc1e368193852b27e8f4d6c179f2c539d8e35ae6c09ce5cf89a
SHA512 8ef5de4e59e14dc435947203d6432553b4053da2d84c3e36e39788a389954afc2323a11a170573e37cbe9076fee4dad3294027a78bfdcfb4a591936b26ec184e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 ea50d1cbad35b9671f32685deb6a73dd
SHA1 16a3bfc4f4963b99dd7d416e01aa2f9ebedc6fcc
SHA256 c9564961661a31014837a9ce74d9aeb4726dff575edb9a3f6257f22eb4b4c448
SHA512 202f3ffc021ff9a8cd16afb9b05dc55adbbf489ae3f2a615b098322cd6955d57a18da215063c0010db83ae127ddf228ae723ceb2269a0082c62d9fb14182cef5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 7f9c03bfc42c9f5938a54a1a5353f207
SHA1 25ffe0d8b4779489cd60ce09d613a8650ef89272
SHA256 5bda12c80537a3975da478856118c421c6b626397eb8a5f5c3c7aca89d5ab6ab
SHA512 f84a898931d2c8aaad7c5ba95280df046d30d185a541147173b14618631c21302bb8f4bbbcb51f53d5e6cdd5e94bec607256320d69164da153649813efac6681

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 9b0dabe092af07a81b47d9050d2adf2a
SHA1 f4d411065bf67b5c1b3a964ae876ad6cb8a0b4e4
SHA256 2429a93f4506ea66ab8d81a30d6d203629e8c1c4f73db37a9d8f605414494fb3
SHA512 0bd0cecbd9ead3afc3c36f4cd6e92f7f56da5a92ca903178a832f956b3d5307f87a9a52dd5306dc068154a8e89449ea6c7556a7bb4392175294f63254e2cfaf0

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 bb40f35315b85f40d67777158c2cc7f3
SHA1 436209bffac45603f993548a957a00566f602ae7
SHA256 d23d4afd41f19ae79f96ff8c5f01bc9dda0e0f1b7c8b2c72debcd42835d2fed1
SHA512 cf83369b12b541eee015aa88fb67766d8334907a6365bf84690fd2eb047d8b3b12b06b5067a288e4c24049d6673763e52e3fffd6f6d735751f1719b0e9381e85

memory/116-116-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

memory/116-115-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

memory/116-114-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp

memory/116-113-0x00007FFD3F430000-0x00007FFD3F440000-memory.dmp