Malware Analysis Report

2025-03-14 22:58

Sample ID 240406-3vf8jsee8w
Target e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118
SHA256 4548e30426a982cbbed7b6db24c8242a26d9788e4da4639e76f4950d5174cfa6
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4548e30426a982cbbed7b6db24c8242a26d9788e4da4639e76f4950d5174cfa6

Threat Level: Known bad

The file e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Checks computer location settings

Windows security modification

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies registry class

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:49

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:49

Reported

2024-04-06 23:52

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ihxhzrky = "vhxuvbstndorpcj.exe" C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wwkmtlpnbsklt.exe" C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdlgdjcz = "qlxvhecxmp.exe" C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qlxvhecxmp.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File created C:\Windows\SysWOW64\qlxvhecxmp.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qlxvhecxmp.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\vhxuvbstndorpcj.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ojcczitx.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ojcczitx.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wwkmtlpnbsklt.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wwkmtlpnbsklt.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File created C:\Windows\SysWOW64\vhxuvbstndorpcj.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ojcczitx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ojcczitx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ojcczitx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ojcczitx.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B1204794399A52C4BAA233EAD4CE" C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C0F9D2182596A3476D570252DD67D8365D9" C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFCFB482B851C903CD72B7E95BDE3E130584467356332D690" C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFABCFE65F2E5840F3B4381983E95B08102F04367023BE2CE429C08A0" C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BB1FE6821DFD20FD0A48A7A9060" C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C6791493DAB3B9CE7FE6ED9537B9" C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
N/A N/A C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
N/A N/A C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
N/A N/A C:\Windows\SysWOW64\qlxvhecxmp.exe N/A
N/A N/A C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
N/A N/A C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
N/A N/A C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
N/A N/A C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
N/A N/A C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
N/A N/A C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
N/A N/A C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
N/A N/A C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
N/A N/A C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
N/A N/A C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
N/A N/A C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
N/A N/A C:\Windows\SysWOW64\vhxuvbstndorpcj.exe N/A
N/A N/A C:\Windows\SysWOW64\wwkmtlpnbsklt.exe N/A
N/A N/A C:\Windows\SysWOW64\wwkmtlpnbsklt.exe N/A
N/A N/A C:\Windows\SysWOW64\wwkmtlpnbsklt.exe N/A
N/A N/A C:\Windows\SysWOW64\wwkmtlpnbsklt.exe N/A
N/A N/A C:\Windows\SysWOW64\wwkmtlpnbsklt.exe N/A
N/A N/A C:\Windows\SysWOW64\wwkmtlpnbsklt.exe N/A
N/A N/A C:\Windows\SysWOW64\wwkmtlpnbsklt.exe N/A
N/A N/A C:\Windows\SysWOW64\wwkmtlpnbsklt.exe N/A
N/A N/A C:\Windows\SysWOW64\wwkmtlpnbsklt.exe N/A
N/A N/A C:\Windows\SysWOW64\wwkmtlpnbsklt.exe N/A
N/A N/A C:\Windows\SysWOW64\wwkmtlpnbsklt.exe N/A
N/A N/A C:\Windows\SysWOW64\wwkmtlpnbsklt.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A
N/A N/A C:\Windows\SysWOW64\ojcczitx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\qlxvhecxmp.exe
PID 3216 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\qlxvhecxmp.exe
PID 3216 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\qlxvhecxmp.exe
PID 3216 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\vhxuvbstndorpcj.exe
PID 3216 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\vhxuvbstndorpcj.exe
PID 3216 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\vhxuvbstndorpcj.exe
PID 3216 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\ojcczitx.exe
PID 3216 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\ojcczitx.exe
PID 3216 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\ojcczitx.exe
PID 3216 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\wwkmtlpnbsklt.exe
PID 3216 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\wwkmtlpnbsklt.exe
PID 3216 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\wwkmtlpnbsklt.exe
PID 3216 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3216 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2656 wrote to memory of 5696 N/A C:\Windows\SysWOW64\qlxvhecxmp.exe C:\Windows\SysWOW64\ojcczitx.exe
PID 2656 wrote to memory of 5696 N/A C:\Windows\SysWOW64\qlxvhecxmp.exe C:\Windows\SysWOW64\ojcczitx.exe
PID 2656 wrote to memory of 5696 N/A C:\Windows\SysWOW64\qlxvhecxmp.exe C:\Windows\SysWOW64\ojcczitx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe"

C:\Windows\SysWOW64\qlxvhecxmp.exe

qlxvhecxmp.exe

C:\Windows\SysWOW64\vhxuvbstndorpcj.exe

vhxuvbstndorpcj.exe

C:\Windows\SysWOW64\ojcczitx.exe

ojcczitx.exe

C:\Windows\SysWOW64\wwkmtlpnbsklt.exe

wwkmtlpnbsklt.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\ojcczitx.exe

C:\Windows\system32\ojcczitx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3216-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\vhxuvbstndorpcj.exe

MD5 77b52c75c728ab16fb912c14369a856c
SHA1 7307ae5ea3254e16b1628f7682e4f770ae1c777f
SHA256 c53cfcb4cd7f1a9e596a14a73bd1a220562fde5288faefca7fdb59f9fd19c3dd
SHA512 ab3e3b51d17d98084c127c3f60103347fc6cfbe99266b220e61538161fbc6a669d590585f9bd22214ab24be0c3bb30dab84bb57904f481fcc613299016404826

C:\Windows\SysWOW64\qlxvhecxmp.exe

MD5 a5e8544790adfdf1f2c2b9cfe3003eab
SHA1 486d8a73f0eb04dc38a347ad57bdd612abf8368d
SHA256 a534e59220f1ff5aa05b7cacef5b8338113a8161b583fe0fd140ea1b856e9852
SHA512 fee4f5c5e66e5076399456ffebb732cd2b5d841c7b57809e140821a4efd7f74374f88e54e1b975d6ad21b391fde9cdb752b02059897a38984e4bdd6d47a21bc2

C:\Windows\SysWOW64\ojcczitx.exe

MD5 4aa96635bea532d9a2293f1320ab37b3
SHA1 148e3b03beef99a656a835655d86939827f8a784
SHA256 9b7628e4e6f19c29c712d1c36f1ae6dcaf4b2c6221d422d5907c18569f1d1bbf
SHA512 9bdc17444d8815e362a10ec97f6486a13b3741a9d4cc6678c80c2b33fd55d29bf3abfea14673883ec4eeb464021be221903c91700bdc614f39dcccbbc08e31b4

C:\Windows\SysWOW64\wwkmtlpnbsklt.exe

MD5 38240b948d6055766750590da7e62daa
SHA1 9eb5ccfbb397c1ca6b9d9f0f19458b7818e4cb7b
SHA256 64c66259fb2841b874b3a5850a64ef8808d256186741c9b453231da3f25e2141
SHA512 b74bdce05e30d0184923d682137e7088fd7b678b76fc1ea8db81e962d22a3803f5e59d18f5cebbc81079cc447a6728fdf895633dfda14bc9340e9c35a5000b29

memory/208-35-0x00007FFC9C070000-0x00007FFC9C080000-memory.dmp

memory/208-36-0x00007FFC9C070000-0x00007FFC9C080000-memory.dmp

memory/208-37-0x00007FFC9C070000-0x00007FFC9C080000-memory.dmp

memory/208-38-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-39-0x00007FFC9C070000-0x00007FFC9C080000-memory.dmp

memory/208-40-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-41-0x00007FFC9C070000-0x00007FFC9C080000-memory.dmp

memory/208-42-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-43-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-44-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-45-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-46-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-48-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-50-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-52-0x00007FFC99710000-0x00007FFC99720000-memory.dmp

memory/208-53-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-51-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-54-0x00007FFC99710000-0x00007FFC99720000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 fbaecc6e82985862e9a0701063abef5b
SHA1 87972afc3ac9cb6d0f488ce7ea68fcdc100119f4
SHA256 718cfd87f01df49fd7c42ceeb63f40914963f52270b41aa0f84ceb418f1fdf1c
SHA512 50e9f5b63b83f08363cf03eeea9a178be70bb0f434e23af4105f11cd7cd0f82958846260aa9e6a2569f693972bee7bc3d2dbef1edbe54e33ed9fd037f864ae51

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 9b255f4242263cbe8976b170a5441bc6
SHA1 4281ab7ab6ef4169b2ef8276f47aa0a3631d6c1e
SHA256 c45c2eda8edfd534c13fdee83f2001ff240e3ce135030dc555ff498535bfbd9f
SHA512 1c5c94d6c87a61b01798d3c3114b1dc03e1d6ce66a33317123e5e62ca87a2effbcc8f973f38304b12068b9a04bdf3e3d2680e6802e145c91aaf7977dd5a92f22

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 d066ac91fb0e5d654d800f183bb1e3ac
SHA1 c98bedf956278c6a8bdada0467cfdbf19b10b8de
SHA256 c4021de2c949fa2252c9b7f9b7f81d8b95294bab909a613027cee108bbf65513
SHA512 fbd19bc91a64567bdd503ec21799ca90a7fbf109368c46bb21f53a1fbedcee58dad47a9243d2af565ca83e52ddb8c81cac42abcb172521596f29feddbeabc657

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 aba223bed5394ee15a99bab87494e9b1
SHA1 8aad99f5f911acb6189d44f7b75d8b487f11dbfb
SHA256 25a5c7d9ab4cbb8ec63fb8f483976c8fd285af8092d27854514a611a477fd127
SHA512 4ec99276c1ba031c342ee30850c4f6391a24fbd760e51ffaa9ed60c46aea68e09932ba88c55a1213db05e045b39d801227c0618b7d5df5e0c3ba560a170cfd0f

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 18e791907816db41b61181775f94f4a4
SHA1 289d4f67b31e8b3b7fbe3aa4c222cc493960fa20
SHA256 e8da6f102aed09f6008027dbd457b0eeca37e411172a2e50aa3cc175980ae5c2
SHA512 2c5fe5ace01e56f3d0142a37617acb80f6521a37461bc4e24f52ca4cbb8af082c0827d86ea21b41b4a16727225d659d8af667662c5cf5250738c5ee732116238

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 9f9c0ecb7e1bd5b7b857f15fd07a5065
SHA1 b03b54afbde0709858c20a6281ea2c634d1b4de6
SHA256 0c3160915b94055cdc9880c9f4423e72192e7befd0bfb716f821265849ab1d85
SHA512 e31e0492fef5212a9fb510541550c5d73f4afe0ef2e0e973f252cd45f029c21157ade1147742391974dc0eafaf5597489d4c5d4c637b5f1212216ab04b9ec811

memory/208-108-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-130-0x00007FFC9C070000-0x00007FFC9C080000-memory.dmp

memory/208-131-0x00007FFC9C070000-0x00007FFC9C080000-memory.dmp

memory/208-132-0x00007FFC9C070000-0x00007FFC9C080000-memory.dmp

memory/208-133-0x00007FFC9C070000-0x00007FFC9C080000-memory.dmp

memory/208-134-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-136-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/208-135-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:49

Reported

2024-04-06 23:52

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\xodiuunsts.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\xodiuunsts.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "umzjkuoydmgkf.exe" C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fjrwbjvc = "xodiuunsts.exe" C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\flyomaos = "kgzxrelzcgwotqk.exe" C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\xodiuunsts.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\xodiuunsts.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\xodiuunsts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\xodiuunsts.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\xodiuunsts.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\xodiuunsts.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ysxvpnpw.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ysxvpnpw.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\umzjkuoydmgkf.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\umzjkuoydmgkf.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\xodiuunsts.exe N/A
File created C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ysxvpnpw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ysxvpnpw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\xodiuunsts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFACAFE67F291840B3B4486973EE2B08C028842160349E2CA459A08A1" C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\xodiuunsts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\xodiuunsts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F76BC6FF6622DFD272D0A48B7F9110" C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\xodiuunsts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\xodiuunsts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\xodiuunsts.exe N/A
N/A N/A C:\Windows\SysWOW64\xodiuunsts.exe N/A
N/A N/A C:\Windows\SysWOW64\xodiuunsts.exe N/A
N/A N/A C:\Windows\SysWOW64\xodiuunsts.exe N/A
N/A N/A C:\Windows\SysWOW64\xodiuunsts.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\xodiuunsts.exe N/A
N/A N/A C:\Windows\SysWOW64\xodiuunsts.exe N/A
N/A N/A C:\Windows\SysWOW64\xodiuunsts.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\xodiuunsts.exe N/A
N/A N/A C:\Windows\SysWOW64\xodiuunsts.exe N/A
N/A N/A C:\Windows\SysWOW64\xodiuunsts.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\ysxvpnpw.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\SysWOW64\umzjkuoydmgkf.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\xodiuunsts.exe
PID 2856 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\xodiuunsts.exe
PID 2856 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\xodiuunsts.exe
PID 2856 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\xodiuunsts.exe
PID 2856 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe
PID 2856 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe
PID 2856 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe
PID 2856 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe
PID 2856 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\ysxvpnpw.exe
PID 2856 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\ysxvpnpw.exe
PID 2856 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\ysxvpnpw.exe
PID 2856 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\ysxvpnpw.exe
PID 2856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\umzjkuoydmgkf.exe
PID 2856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\umzjkuoydmgkf.exe
PID 2856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\umzjkuoydmgkf.exe
PID 2856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Windows\SysWOW64\umzjkuoydmgkf.exe
PID 2968 wrote to memory of 2476 N/A C:\Windows\SysWOW64\xodiuunsts.exe C:\Windows\SysWOW64\ysxvpnpw.exe
PID 2968 wrote to memory of 2476 N/A C:\Windows\SysWOW64\xodiuunsts.exe C:\Windows\SysWOW64\ysxvpnpw.exe
PID 2968 wrote to memory of 2476 N/A C:\Windows\SysWOW64\xodiuunsts.exe C:\Windows\SysWOW64\ysxvpnpw.exe
PID 2968 wrote to memory of 2476 N/A C:\Windows\SysWOW64\xodiuunsts.exe C:\Windows\SysWOW64\ysxvpnpw.exe
PID 2856 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2856 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2856 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2856 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e3947d25d5939735ebdb1d8f2ac22c61_JaffaCakes118.exe"

C:\Windows\SysWOW64\xodiuunsts.exe

xodiuunsts.exe

C:\Windows\SysWOW64\kgzxrelzcgwotqk.exe

kgzxrelzcgwotqk.exe

C:\Windows\SysWOW64\ysxvpnpw.exe

ysxvpnpw.exe

C:\Windows\SysWOW64\umzjkuoydmgkf.exe

umzjkuoydmgkf.exe

C:\Windows\SysWOW64\ysxvpnpw.exe

C:\Windows\system32\ysxvpnpw.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

Network

N/A

Files

memory/2856-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ysxvpnpw.exe

MD5 c0cb48facb55dbb13418ef9c523174eb
SHA1 834fa57bda4dcca672b93433500da07254848f7a
SHA256 8aa54265bd35b483301ef545f269da11d1a8b45bcad6aec0d7d5f66e59c2dae2
SHA512 8cf8f1afb0e6039575a24a8b24ded8fd644f07f0f7bd7aaa0a9bfd99630e4bf81d1ab77da8731d1b55bd8123e7a79251603210653ceb340570779307e448cdb9

\Windows\SysWOW64\xodiuunsts.exe

MD5 94349e7a78dac5a397454d788490d9e7
SHA1 b6863df6bca8f291045c4b743c699debac9acd8f
SHA256 1f766433daf70e4eca2c761a711498119ff65645ed6ee0dc263c4be8bc5d01b2
SHA512 b53353777ad2864db9ce43af3243e7c5df96350fff47b63f1cd4cc14d108a0064e384b6535d382c5a065d4c62b02ca52ce66d8e0e3932bf4b3b33a78f0b69852

\Windows\SysWOW64\kgzxrelzcgwotqk.exe

MD5 ba7c9f1a494a7fd72c376eaa83623d23
SHA1 38792e888db7f76c58f7f726203d262605c8808f
SHA256 da44813d01ae678a9295e79529b05f309ce1ae55cbf45adb4e58a7bc44e92ff6
SHA512 db735dedbb45060246f97506d73b59cda8e201dbbf2061de704aecc904665671f8345ad5fc41673e4616364379b9def0dffcac7addefc03d97300c5dd3c8a251

\Windows\SysWOW64\umzjkuoydmgkf.exe

MD5 9ac119e55386d1aa41b8d6648266a995
SHA1 4464467bfc84359c32646ccc0a6c21329e38572c
SHA256 a8e443676c126cdfeaa51e0f07353f01c442714814028274e5acd0d5b9388fa2
SHA512 901b187e1fc44c972e3f763d47a582663fc5e8a720c1b3b8a78419446ef53e9494203d4fb6385bd1f9b63e345e80249634e3e4d924c28eba6bb377da5711a7e5

memory/2412-45-0x000000002FDF1000-0x000000002FDF2000-memory.dmp

memory/2412-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2412-47-0x000000007192D000-0x0000000071938000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 c060b7a6d40f992eceb739935d1594f9
SHA1 0bcb3b3bc6eafb587eea715f811cc96fc0ce63b1
SHA256 e2019e656aba466fd386ec0d0fbdd7fcecbd90f9bf5e9de3a3cd8b71488e5b05
SHA512 d1eb79ee2f5687ccca4f805be0f2d198b9891f0fdd2d49383c2d5bbd4ab8af5d686797af20add4d70d36aa883013fdf9a627d955ffbf828ac12bffa58a9cead9

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 eeacf2fde242bd1762942ca21aa3f256
SHA1 c9e397e79c69dc4f7d22fa1d6606bf290cad9525
SHA256 7d3f87eb0d8d260eaaf2339f38da84407f5914a6298f6b93ae2753008f721764
SHA512 946110b38e2fa03de26d6ea71cb8b034aab4b2ff5fb38ff4e1cd419709bfeaaa5a5f02d3dca13135c3ee80eabc6b5e2a8731a7673bfaf16e823c205ff3082567

memory/2788-77-0x0000000004060000-0x0000000004061000-memory.dmp

memory/2412-78-0x000000007192D000-0x0000000071938000-memory.dmp

memory/2788-80-0x0000000004060000-0x0000000004061000-memory.dmp

memory/2788-85-0x00000000027D0000-0x00000000027E0000-memory.dmp