Malware Analysis Report

2024-11-30 04:12

Sample ID 240408-bs4ghscf2t
Target e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118
SHA256 74fd931ee56c8032739350bc1811e034ce4aee2997b50b4583a98127446c6270
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74fd931ee56c8032739350bc1811e034ce4aee2997b50b4583a98127446c6270

Threat Level: Known bad

The file e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Executes dropped EXE

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:25

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:25

Reported

2024-04-08 01:27

Platform

win7-20240221-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aldeqsoc = "prmrhtjqoa.exe" C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ojmipoga = "inaywyhzidajcwq.exe" C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "scebbdaqpuqat.exe" C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\t: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qjyddmof.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\prmrhtjqoa.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\inaywyhzidajcwq.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qjyddmof.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qjyddmof.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\scebbdaqpuqat.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
File created C:\Windows\SysWOW64\prmrhtjqoa.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\scebbdaqpuqat.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\inaywyhzidajcwq.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification \??\c:\Program Files\ExitSync.doc.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\qjyddmof.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification \??\c:\Program Files\ExitSync.doc.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification C:\Program Files\ExitSync.doc.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File created \??\c:\Program Files\ExitSync.doc.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification C:\Program Files\ExitSync.doc.exe C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification C:\Program Files\ExitSync.nal C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification C:\Program Files\ExitSync.nal C:\Windows\SysWOW64\qjyddmof.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\qjyddmof.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB12044E7399F53CABAA6329AD7B9" C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC67B1594DAB2B9BB7C90EDE034C8" C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
N/A N/A C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
N/A N/A C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
N/A N/A C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
N/A N/A C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
N/A N/A C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
N/A N/A C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
N/A N/A C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
N/A N/A C:\Windows\SysWOW64\prmrhtjqoa.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\qjyddmof.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\inaywyhzidajcwq.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\SysWOW64\scebbdaqpuqat.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\prmrhtjqoa.exe
PID 2236 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\prmrhtjqoa.exe
PID 2236 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\prmrhtjqoa.exe
PID 2236 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\prmrhtjqoa.exe
PID 2236 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\inaywyhzidajcwq.exe
PID 2236 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\inaywyhzidajcwq.exe
PID 2236 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\inaywyhzidajcwq.exe
PID 2236 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\inaywyhzidajcwq.exe
PID 2236 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\qjyddmof.exe
PID 2236 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\qjyddmof.exe
PID 2236 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\qjyddmof.exe
PID 2236 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\qjyddmof.exe
PID 2236 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\scebbdaqpuqat.exe
PID 2236 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\scebbdaqpuqat.exe
PID 2236 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\scebbdaqpuqat.exe
PID 2236 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\scebbdaqpuqat.exe
PID 2236 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2236 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2236 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2236 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 944 wrote to memory of 596 N/A C:\Windows\SysWOW64\prmrhtjqoa.exe C:\Windows\SysWOW64\qjyddmof.exe
PID 944 wrote to memory of 596 N/A C:\Windows\SysWOW64\prmrhtjqoa.exe C:\Windows\SysWOW64\qjyddmof.exe
PID 944 wrote to memory of 596 N/A C:\Windows\SysWOW64\prmrhtjqoa.exe C:\Windows\SysWOW64\qjyddmof.exe
PID 944 wrote to memory of 596 N/A C:\Windows\SysWOW64\prmrhtjqoa.exe C:\Windows\SysWOW64\qjyddmof.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe"

C:\Windows\SysWOW64\prmrhtjqoa.exe

prmrhtjqoa.exe

C:\Windows\SysWOW64\inaywyhzidajcwq.exe

inaywyhzidajcwq.exe

C:\Windows\SysWOW64\qjyddmof.exe

qjyddmof.exe

C:\Windows\SysWOW64\scebbdaqpuqat.exe

scebbdaqpuqat.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\SysWOW64\qjyddmof.exe

C:\Windows\system32\qjyddmof.exe

C:\Windows\explorer.exe

explorer.exe

Network

N/A

Files

memory/2236-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\inaywyhzidajcwq.exe

MD5 2b2ce10d525d225362117606da037a6b
SHA1 147fef4099419279f10d1cc5b57a00dde3aaa1a4
SHA256 7dfadf9ea140d1b6efc842955e3d059bd210a4751001beaf3e1af748a3f97f28
SHA512 d56b64fdb5eb016eb6cdede1f589393ddc97d9f779417567cf0d2a752d6e1f77df2a0489fa1a6ba8fc9cf57b01e92776998c92619fb8a7c8c109ba090067d6f4

\Windows\SysWOW64\prmrhtjqoa.exe

MD5 a88140312ef938c698f91effe670288e
SHA1 a464ce2b48812fa3ca0330413af2e3e98e966b51
SHA256 33a5d30d745e62dd30e47ed57c502b4ad0d02c4e103c77af475138fefa67fbd5
SHA512 8f0ab7033a961fd99b73f31cd4361fdbe14f4c94cc14a77ee72abfbf888e2a79f76eaf588a1c9299e619f8eeac74ebc12e5325521406c70c6b615799244a96cf

C:\Windows\SysWOW64\qjyddmof.exe

MD5 c936aebf8f90265787dc341fdedc67d7
SHA1 60cb5275362d6a4da154f06b4f8dc558f3684e86
SHA256 9d2f7aac0bbeb6d23f201489903936e31e48d8c5c599c8883c25a654e2f20b7d
SHA512 a1501859bace1c01973c3fcb8ad3f7faa35771753093e1e0070972c13cbf1766c6e5d030e5b4f113485a5d7901848de9808f22fce2df61238f0f691d911624a0

\Windows\SysWOW64\scebbdaqpuqat.exe

MD5 0d4fa131cbcb113f94aea7bfc1352430
SHA1 5ee297fac3c49efc83fd354b3d02e9865c7262c0
SHA256 e169f74510a57b6c2a569703c7455109c636f4c061c16000420b68c3cb70a839
SHA512 9bd09505d8e7e30bc85a5af4c03d6c4c0bf00bd70c9f00210af28c47977e95f10b716dd9bee0cd14a9ae2a928f14ddb84f3e3890dd5bd388eeb13b9f60cf859c

memory/2024-42-0x000000002FE01000-0x000000002FE02000-memory.dmp

memory/2024-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2024-47-0x0000000071B2D000-0x0000000071B38000-memory.dmp

\??\c:\Program Files\ExitSync.doc.exe

MD5 da7cbd537325bde0b3e956d26598d4dc
SHA1 e10c7fdd8cd0b0811fbaacb536a6a7a080b8f4ce
SHA256 b223b09c7458ea65652e81138bbc0d9a0adedde23f12cfe4cd0d0544f217002b
SHA512 5116d0247b772885d61e448cbd4a7a968afc84fbab96200aa718a35e94b156d9f7c5a6211691eb1ecd616fa51fb31e8bf9d1a309bea27cb02b0c756dcfc67c44

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 160c7df01ea779bd3a796185923f317b
SHA1 86b0a583a025e6ed8ab9c5e7b29b147a774f7b60
SHA256 044b61580a0fdf5675eef520cd3149bc7b002e8dedbd82b4e9621409b5b557d8
SHA512 723361c428e8f71d1c0b4e13d2488377c5242ded7375f506dac8eb3dcf01931f5a1828f05a4a0ba1893a53e7ac1007935d8df01bfae623456ecd41a9e48dcbc2

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 1b6aaabc6c13139a7b68a52bfb6cfcaa
SHA1 c1fca62d89f2b20c1bf555ab1767e72ce8803851
SHA256 2cbe728e8651a87ab1a0ab48a70e2845648579ad5f481819dc8a8ad6853b392b
SHA512 39392d8acab0ae1ab1be8ffd24f986dadfb7a793f58259b3876a05a8d738e37073b91bd8c3e9a261d6eb0500911f71908fd6fba3c1c1707b87cba9e81469877c

C:\Users\Admin\Downloads\SelectSkip.doc.exe

MD5 67dc2fd7e885a5d778fb9a8544450a54
SHA1 ab9e66e1ffde412b7aaf1c7c8e8803fc995cc704
SHA256 6dedaa890a5fe2605dde7273ed8be43797bbdef2f7e54ff682987ff75094e158
SHA512 dff8898ac266796d05c7b86acfacc0f428cd5e1a20a30fee72a5c90c3df654ffd41d38f69d65f0f55b5cb25c404d55aaac2fdcf229228b1310e63fb6cf354b6a

memory/2664-80-0x0000000004030000-0x0000000004031000-memory.dmp

memory/2024-81-0x0000000071B2D000-0x0000000071B38000-memory.dmp

memory/2664-83-0x0000000004030000-0x0000000004031000-memory.dmp

memory/2664-88-0x0000000002670000-0x0000000002680000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:25

Reported

2024-04-08 01:27

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\pcotwnjchs.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\pcotwnjchs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pvczbntx = "pcotwnjchs.exe" C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\czxqwgyv = "pchltpszpbdkxtu.exe" C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nhjnrqhbhkdts.exe" C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\pcotwnjchs.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\pcotwnjchs.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\pcotwnjchs.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\pchltpszpbdkxtu.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dsedpxkc.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dsedpxkc.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pcotwnjchs.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\nhjnrqhbhkdts.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification C:\Windows\SysWOW64\pcotwnjchs.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\nhjnrqhbhkdts.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File created C:\Windows\SysWOW64\pchltpszpbdkxtu.exe C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\pcotwnjchs.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dsedpxkc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF8F482A851F9041D65F7D9DBDEFE143593567436243D6EE" C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C7B9C2682206D4476A570552CDD7D8665DA" C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC77B1493DBC5B9BA7CE3EC9737CF" C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F168B3FE6722A9D272D0A08B7D9062" C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FACEF965F19584743A4181983EE2B38F028F43130332E2BD459D09D6" C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B0294792399F52CEB9A1329ED7C5" C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\pcotwnjchs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\pcotwnjchs.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\pcotwnjchs.exe N/A
N/A N/A C:\Windows\SysWOW64\pcotwnjchs.exe N/A
N/A N/A C:\Windows\SysWOW64\pcotwnjchs.exe N/A
N/A N/A C:\Windows\SysWOW64\pcotwnjchs.exe N/A
N/A N/A C:\Windows\SysWOW64\pcotwnjchs.exe N/A
N/A N/A C:\Windows\SysWOW64\pcotwnjchs.exe N/A
N/A N/A C:\Windows\SysWOW64\pcotwnjchs.exe N/A
N/A N/A C:\Windows\SysWOW64\pcotwnjchs.exe N/A
N/A N/A C:\Windows\SysWOW64\pcotwnjchs.exe N/A
N/A N/A C:\Windows\SysWOW64\pcotwnjchs.exe N/A
N/A N/A C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
N/A N/A C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
N/A N/A C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
N/A N/A C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
N/A N/A C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
N/A N/A C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
N/A N/A C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
N/A N/A C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\nhjnrqhbhkdts.exe N/A
N/A N/A C:\Windows\SysWOW64\nhjnrqhbhkdts.exe N/A
N/A N/A C:\Windows\SysWOW64\nhjnrqhbhkdts.exe N/A
N/A N/A C:\Windows\SysWOW64\nhjnrqhbhkdts.exe N/A
N/A N/A C:\Windows\SysWOW64\nhjnrqhbhkdts.exe N/A
N/A N/A C:\Windows\SysWOW64\nhjnrqhbhkdts.exe N/A
N/A N/A C:\Windows\SysWOW64\nhjnrqhbhkdts.exe N/A
N/A N/A C:\Windows\SysWOW64\nhjnrqhbhkdts.exe N/A
N/A N/A C:\Windows\SysWOW64\nhjnrqhbhkdts.exe N/A
N/A N/A C:\Windows\SysWOW64\nhjnrqhbhkdts.exe N/A
N/A N/A C:\Windows\SysWOW64\nhjnrqhbhkdts.exe N/A
N/A N/A C:\Windows\SysWOW64\nhjnrqhbhkdts.exe N/A
N/A N/A C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
N/A N/A C:\Windows\SysWOW64\pchltpszpbdkxtu.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A
N/A N/A C:\Windows\SysWOW64\dsedpxkc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\pcotwnjchs.exe
PID 4028 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\pcotwnjchs.exe
PID 4028 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\pcotwnjchs.exe
PID 4028 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\pchltpszpbdkxtu.exe
PID 4028 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\pchltpszpbdkxtu.exe
PID 4028 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\pchltpszpbdkxtu.exe
PID 4028 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\dsedpxkc.exe
PID 4028 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\dsedpxkc.exe
PID 4028 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\dsedpxkc.exe
PID 4028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\nhjnrqhbhkdts.exe
PID 4028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\nhjnrqhbhkdts.exe
PID 4028 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Windows\SysWOW64\nhjnrqhbhkdts.exe
PID 4028 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4028 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4592 wrote to memory of 2752 N/A C:\Windows\SysWOW64\pcotwnjchs.exe C:\Windows\SysWOW64\dsedpxkc.exe
PID 4592 wrote to memory of 2752 N/A C:\Windows\SysWOW64\pcotwnjchs.exe C:\Windows\SysWOW64\dsedpxkc.exe
PID 4592 wrote to memory of 2752 N/A C:\Windows\SysWOW64\pcotwnjchs.exe C:\Windows\SysWOW64\dsedpxkc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e6506b12acef569b3e62b8ff428c0e80_JaffaCakes118.exe"

C:\Windows\SysWOW64\pcotwnjchs.exe

pcotwnjchs.exe

C:\Windows\SysWOW64\pchltpszpbdkxtu.exe

pchltpszpbdkxtu.exe

C:\Windows\SysWOW64\dsedpxkc.exe

dsedpxkc.exe

C:\Windows\SysWOW64\nhjnrqhbhkdts.exe

nhjnrqhbhkdts.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\dsedpxkc.exe

C:\Windows\system32\dsedpxkc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4028-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\pchltpszpbdkxtu.exe

MD5 19c8d44f530e2fc27c10ee93b594ee5c
SHA1 0be7404614edd18df30e39a64cd4b259ba1ff16e
SHA256 f5c1dc5f605171ab4a456ae190d111c17b67442a605a7743af4d5aa3ec41849f
SHA512 2319c55cec28b9f00e5c7215ea3dbec2e822753b6705da3a9fbbbcb0b23c05a49ed912404d9e0df3781b1c2a4e8f52a310c1b94bb602a063614212cc3ca55057

C:\Windows\SysWOW64\pcotwnjchs.exe

MD5 1e71af3da7cac353e362a6abce1edb93
SHA1 5918bd63db2f6423acea1372e5f793c7c60c39a7
SHA256 94e289f004bfed278207d2e8dc026cd20a13ab02d9351178c3accb70ea71b82b
SHA512 dc080b2152130352a496bb381e381f04259a727627a0227e2246aefea5883cec46a1a54476185630ca9068f5a9727f4c7dd86d2a92f70e0505066f862de820f9

C:\Windows\SysWOW64\nhjnrqhbhkdts.exe

MD5 bdc1e8bacf74702155d8b4ebd1c3ae35
SHA1 e20a1525e57af4050c6b5306f24ea43cb0a75741
SHA256 7d3d131c7eb53fb0788acd6a05788aca4b964d4ccae033a8421231b7312010a3
SHA512 e56e4d25108b712a0cd5bc18ccd2d1766d8eef1d7630c43dcfa9426f345d2861a403fc1c84d962f9bbd7135d5cffd6ccfcc58aa547a39db0fc1538caa44cd075

C:\Windows\SysWOW64\dsedpxkc.exe

MD5 c99d0a0e2f141f55d80fcb607e8b5ca7
SHA1 b80be701650f8291852b1a8af80c5302dccf3dd2
SHA256 df91900a7a425f5bd6f9b5b9de0e46c472d3a5dd0b56a5dc6a09f5847d78b29f
SHA512 d5508c6298b64247dcb01153a4d128147812afd9aaaa63d33fc15c7d696b88b0abcba5643ee728af299c26a5fc8573af6d13ee9dcc5fe1445769a8dd6017e738

memory/4656-37-0x00007FF965F50000-0x00007FF965F60000-memory.dmp

memory/4656-38-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-39-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-40-0x00007FF965F50000-0x00007FF965F60000-memory.dmp

memory/4656-42-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-44-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-43-0x00007FF965F50000-0x00007FF965F60000-memory.dmp

memory/4656-41-0x00007FF965F50000-0x00007FF965F60000-memory.dmp

memory/4656-45-0x00007FF965F50000-0x00007FF965F60000-memory.dmp

memory/4656-46-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-47-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-48-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-50-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-49-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-51-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-52-0x00007FF9638F0000-0x00007FF963900000-memory.dmp

memory/4656-53-0x00007FF9638F0000-0x00007FF963900000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 a2f476fb970ff4f078a53f0164f2b959
SHA1 531f3f100f11ff07c32df8d88038f4d5da7a58c3
SHA256 f35b49bd36bf81dbce2df6540b03155ca43ef30609b3ae1d947a62eaf289d2c9
SHA512 f3187e9e0465b004e3eb6320dfd1b75b37b79ff0240d989bd15cacc547a97d0a38a3b73deba81a824e71a2ae3306aab32cb692bde594dca3c2328eda16defe79

\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 df703a4df33733f085ec694f9e2212c5
SHA1 e4a407e96b1af1ce13792a1ea0f5e13f0175c6b5
SHA256 865ff1be892468f75482956d34d69b599c460fe7ae5c72250542bc07d075920e
SHA512 4379ef0fe43635baee7791e2ed534e7904ca84034af4025f0a36a0beb80e137b85c755a9ba483aefa05cc444872aa833e3078ec40ec66cf8b854b69d6af16876

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 aa5275f9b4de39511a54645f2815e97e
SHA1 f6b52370aeef76622ae8ce6faef5d7b3dd1b6b36
SHA256 a5e86b7724592441c33126b24fd294ee9dc2f6ce832866d9b8289185859ef246
SHA512 7dcd2719976c4315e28e27271b4e22ba01fe04e1b0d224834aece363d767df2a2b6d11ad3a85504ccaa8606c1b5f06f7becd64a8e1d550f04dae4bc434377c36

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PSIUK9NFAHZ8J52VK6IR.temp

MD5 e17a67aab3207418b4325bbddc9e2d80
SHA1 a05017d592fa82b714b4df03667da9233be29110
SHA256 a5a0b10a0c35c518232c330ddd14c7da8ab32696f072863c484385f80b2064e6
SHA512 a6f4fce47880a73d5ddb4a0e4084fa48873f10f157b8307dfd93078d96cb94056ea9e28067e2d7a9d2be1f92aafeed8f83c92ef84a04c296bc722c3927becae5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 4d0123d44d2f4bac652eb73a06d856ce
SHA1 4a1e2427ee9354680db6b8c96a5c0dcf7a4a6303
SHA256 b3bb08807e77d4ac73206e5bb75ee7e43a290455d52199b3f801d3dee9ed735e
SHA512 9568023017f6808bd68dcc35ac7b4ff354a8db1fc5f02f0c50a12d2c7b9663d4cc17bb61846fb38cc40d0eb4ab1154fe6f8d18d6d937dade827216e32ac5ce7a

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 eedf6bf35aee454f685644a431f48595
SHA1 012050f9a40ba7960fff40694faf3657d675bb3b
SHA256 a3e743862689ad35f740277ce9d4f32b451c9a1ad0785888431ac4590eb5f319
SHA512 03588b153d7777232668b3b4b0e4284243542ad777f1598675c26db2ba89c87b41963e4a05aac338ac113d59a690a4bf3ad4b37c28a07278e1b0c1f6e8d898e0

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 81b2c6d78ec9fa563a9738bb334615b3
SHA1 2eb1f963e4d2e764392fa4d79668df391a9db208
SHA256 6c1d4aa673eed5a7a7a00588c95d1fdfc3dc0728402ae0a0aafd334c81700a8c
SHA512 2dee81f735d12a3c8967c1c195a041611d92947171a9055412bcc1a289d74593954866fef1bb150b72daf2ac0370cac17913eb2e7bcc3a0cc046aa274eb4493e

memory/4656-107-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-108-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-109-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-110-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-132-0x00007FF965F50000-0x00007FF965F60000-memory.dmp

memory/4656-133-0x00007FF965F50000-0x00007FF965F60000-memory.dmp

memory/4656-134-0x00007FF965F50000-0x00007FF965F60000-memory.dmp

memory/4656-135-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-137-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp

memory/4656-136-0x00007FF965F50000-0x00007FF965F60000-memory.dmp

memory/4656-138-0x00007FF9A5ED0000-0x00007FF9A60C5000-memory.dmp