Malware Analysis Report

2025-06-15 20:08

Sample ID 240515-m9t5ysef85
Target 45e4eee014788a7efcf398d896a0af64_JaffaCakes118
SHA256 e52ffa52b7f8d71bfd0250e4b0ae56fbbdeb81b1747e9ed2061478bab51719b9
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e52ffa52b7f8d71bfd0250e4b0ae56fbbdeb81b1747e9ed2061478bab51719b9

Threat Level: Known bad

The file 45e4eee014788a7efcf398d896a0af64_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Windows security modification

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 11:10

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 11:10

Reported

2024-05-15 11:12

Platform

win7-20231129-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\pdncfngzuk.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\pdncfngzuk.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yewwgtvl = "pdncfngzuk.exe" C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ysylpxae = "nwtnncypazvqnnc.exe" C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "unokmxqauobll.exe" C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\n: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\pdncfngzuk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\pdncfngzuk.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\pdncfngzuk.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\pdncfngzuk.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\nwtnncypazvqnnc.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\unokmxqauobll.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\unokmxqauobll.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pdncfngzuk.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\nwtnncypazvqnnc.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\qnetsssu.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qnetsssu.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\pdncfngzuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qnetsssu.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qnetsssu.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\qnetsssu.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qnetsssu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C70B1490DAB7B9BB7F95ED9F34CC" C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BB0FF1A22DFD20ED1D18B7F9166" C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FF89482F851A9135D62F7E94BD97E637593167456332D798" C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\pdncfngzuk.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\pdncfngzuk.exe N/A
N/A N/A C:\Windows\SysWOW64\pdncfngzuk.exe N/A
N/A N/A C:\Windows\SysWOW64\pdncfngzuk.exe N/A
N/A N/A C:\Windows\SysWOW64\pdncfngzuk.exe N/A
N/A N/A C:\Windows\SysWOW64\pdncfngzuk.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\qnetsssu.exe N/A
N/A N/A C:\Windows\SysWOW64\qnetsssu.exe N/A
N/A N/A C:\Windows\SysWOW64\qnetsssu.exe N/A
N/A N/A C:\Windows\SysWOW64\qnetsssu.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\qnetsssu.exe N/A
N/A N/A C:\Windows\SysWOW64\qnetsssu.exe N/A
N/A N/A C:\Windows\SysWOW64\qnetsssu.exe N/A
N/A N/A C:\Windows\SysWOW64\qnetsssu.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\unokmxqauobll.exe N/A
N/A N/A C:\Windows\SysWOW64\nwtnncypazvqnnc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\pdncfngzuk.exe
PID 2024 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\pdncfngzuk.exe
PID 2024 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\pdncfngzuk.exe
PID 2024 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\pdncfngzuk.exe
PID 2024 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\nwtnncypazvqnnc.exe
PID 2024 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\nwtnncypazvqnnc.exe
PID 2024 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\nwtnncypazvqnnc.exe
PID 2024 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\nwtnncypazvqnnc.exe
PID 2024 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\qnetsssu.exe
PID 2024 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\qnetsssu.exe
PID 2024 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\qnetsssu.exe
PID 2024 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\qnetsssu.exe
PID 2024 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\unokmxqauobll.exe
PID 2024 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\unokmxqauobll.exe
PID 2024 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\unokmxqauobll.exe
PID 2024 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\unokmxqauobll.exe
PID 2292 wrote to memory of 2712 N/A C:\Windows\SysWOW64\pdncfngzuk.exe C:\Windows\SysWOW64\qnetsssu.exe
PID 2292 wrote to memory of 2712 N/A C:\Windows\SysWOW64\pdncfngzuk.exe C:\Windows\SysWOW64\qnetsssu.exe
PID 2292 wrote to memory of 2712 N/A C:\Windows\SysWOW64\pdncfngzuk.exe C:\Windows\SysWOW64\qnetsssu.exe
PID 2292 wrote to memory of 2712 N/A C:\Windows\SysWOW64\pdncfngzuk.exe C:\Windows\SysWOW64\qnetsssu.exe
PID 2024 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2024 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2024 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2024 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2632 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2632 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2632 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2632 wrote to memory of 2840 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe"

C:\Windows\SysWOW64\pdncfngzuk.exe

pdncfngzuk.exe

C:\Windows\SysWOW64\nwtnncypazvqnnc.exe

nwtnncypazvqnnc.exe

C:\Windows\SysWOW64\qnetsssu.exe

qnetsssu.exe

C:\Windows\SysWOW64\unokmxqauobll.exe

unokmxqauobll.exe

C:\Windows\SysWOW64\qnetsssu.exe

C:\Windows\system32\qnetsssu.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2024-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\nwtnncypazvqnnc.exe

MD5 7cd709e5b187175c631d18b4d9337cac
SHA1 4f6a77cbf9108324342260e38728e62de0cbc736
SHA256 f6273404e865b796c8f9fd73221a21efd2f1613c6fc7e536497b42c7c3d3fc82
SHA512 80ef6378bed4de1ec0cd5c716ec85ff7c7318247f7525f2015e9fb11509e256bf389211aa98edb2d52fd5f79544e09b9e0da00ce299e4cb903145507c28eeae2

\Windows\SysWOW64\pdncfngzuk.exe

MD5 ea267fc8aea97f867d3e8148f1ff61a2
SHA1 cac20f7028d68432345d77ee28191f51e0a230c3
SHA256 e30f168935c1406d21bddf1b0e5ef01d4db901a26914c496d8e8e21c4dc9234f
SHA512 8c7db536d3b653942b933a4a104eb28f7d932c0913e7297f58bde5ed93774b555151ef7be24f026c0ff767121fb234a041482acb590c8441e934fc79b94acf0d

\Windows\SysWOW64\qnetsssu.exe

MD5 f01faf628642931bbdb59308f241e04c
SHA1 09624cb7f2864f7acc730b4d548032ed453c74f5
SHA256 628a3a7cb19c63b653671642eab56c8f6df9468c86055edadd3b4b8e210546db
SHA512 37ac928a977f286df72f0d1deb3bb7ca6002c5f9827ce438fcca0c24383b632979a7b0f13f682f2a9624b639ddbb776f5a72487a8cd97cad4b850b96169d1f63

\Windows\SysWOW64\unokmxqauobll.exe

MD5 9e9439dbd6f8d0eb817d9640116b82b1
SHA1 f7db97ea2b07e184b708f1028b2de4b7b0881c20
SHA256 d6d820179fe160397b5af083abedac964682f5928035e52f671a104738dccdee
SHA512 79245c2dd1234e7e15eacfc4b21abb27b07c1e6d9fc3e7b8012cae9a6d2b8883ed04b0c1fc78b594d07bc8f13016bd9101f6e7ece4644367bc7a1598fb0b262f

memory/2632-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 7acd23daa908c7273473150c5a0da8ca
SHA1 40359263bf07c822377d2568993ba84191f34145
SHA256 dfcb4eb980cf06425938b09a9c5342ffe490da13993ef7ea0bb931e1d9967d39
SHA512 5b5996243f987c456a8f8aaa06f4cb53c4dae94890175650f37bdff7cc6280abb40d95e055d471f6b157a9457a1f939bdc063c610e0ea48ad79947a9f442342c

memory/2632-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 11:10

Reported

2024-05-15 11:12

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smcqmsry = "xrjqxxycnhnihgw.exe" C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "outejfrvabuow.exe" C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ohldomod = "bbyadyhaeq.exe" C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ufkkztec.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\bbyadyhaeq.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ufkkztec.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\outejfrvabuow.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File created C:\Windows\SysWOW64\bbyadyhaeq.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ufkkztec.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\outejfrvabuow.exe C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\MountUnpublish.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\MountUnpublish.nal C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\TestDebug.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\TestDebug.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ufkkztec.exe N/A
File created \??\c:\Program Files\MountUnpublish.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Program Files\TestDebug.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\TestDebug.nal C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\MountUnpublish.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Program Files\MountUnpublish.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\MountUnpublish.nal C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File created \??\c:\Program Files\TestDebug.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Program Files\MountUnpublish.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\TestDebug.nal C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Program Files\TestDebug.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ufkkztec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ufkkztec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC67C15E1DBC5B8C97FE7ECE737B9" C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9CDF967F29884783A3281EB3992B08102FC4366034BE1BD42E709D4" C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C7A9D2083276A4177A0702E2CDF7DF465D8" C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFC824F5F856D9132D7217E97BC92E133594566426331D6EA" C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B12C47E539E952C4B9D632E9D7C5" C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7876BC4FE6821DCD27FD0A38A0F9111" C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\bbyadyhaeq.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
N/A N/A C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
N/A N/A C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
N/A N/A C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
N/A N/A C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
N/A N/A C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
N/A N/A C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
N/A N/A C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
N/A N/A C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
N/A N/A C:\Windows\SysWOW64\bbyadyhaeq.exe N/A
N/A N/A C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A
N/A N/A C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A
N/A N/A C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A
N/A N/A C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A
N/A N/A C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A
N/A N/A C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A
N/A N/A C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A
N/A N/A C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A
N/A N/A C:\Windows\SysWOW64\outejfrvabuow.exe N/A
N/A N/A C:\Windows\SysWOW64\outejfrvabuow.exe N/A
N/A N/A C:\Windows\SysWOW64\outejfrvabuow.exe N/A
N/A N/A C:\Windows\SysWOW64\outejfrvabuow.exe N/A
N/A N/A C:\Windows\SysWOW64\outejfrvabuow.exe N/A
N/A N/A C:\Windows\SysWOW64\outejfrvabuow.exe N/A
N/A N/A C:\Windows\SysWOW64\outejfrvabuow.exe N/A
N/A N/A C:\Windows\SysWOW64\outejfrvabuow.exe N/A
N/A N/A C:\Windows\SysWOW64\outejfrvabuow.exe N/A
N/A N/A C:\Windows\SysWOW64\outejfrvabuow.exe N/A
N/A N/A C:\Windows\SysWOW64\outejfrvabuow.exe N/A
N/A N/A C:\Windows\SysWOW64\outejfrvabuow.exe N/A
N/A N/A C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A
N/A N/A C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A
N/A N/A C:\Windows\SysWOW64\ufkkztec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\bbyadyhaeq.exe
PID 4996 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\bbyadyhaeq.exe
PID 4996 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\bbyadyhaeq.exe
PID 4996 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe
PID 4996 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe
PID 4996 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe
PID 4996 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\ufkkztec.exe
PID 4996 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\ufkkztec.exe
PID 4996 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\ufkkztec.exe
PID 4996 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\outejfrvabuow.exe
PID 4996 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\outejfrvabuow.exe
PID 4996 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Windows\SysWOW64\outejfrvabuow.exe
PID 1148 wrote to memory of 740 N/A C:\Windows\SysWOW64\bbyadyhaeq.exe C:\Windows\SysWOW64\ufkkztec.exe
PID 1148 wrote to memory of 740 N/A C:\Windows\SysWOW64\bbyadyhaeq.exe C:\Windows\SysWOW64\ufkkztec.exe
PID 1148 wrote to memory of 740 N/A C:\Windows\SysWOW64\bbyadyhaeq.exe C:\Windows\SysWOW64\ufkkztec.exe
PID 4996 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4996 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\45e4eee014788a7efcf398d896a0af64_JaffaCakes118.exe"

C:\Windows\SysWOW64\bbyadyhaeq.exe

bbyadyhaeq.exe

C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe

xrjqxxycnhnihgw.exe

C:\Windows\SysWOW64\ufkkztec.exe

ufkkztec.exe

C:\Windows\SysWOW64\outejfrvabuow.exe

outejfrvabuow.exe

C:\Windows\SysWOW64\ufkkztec.exe

C:\Windows\system32\ufkkztec.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/4996-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\xrjqxxycnhnihgw.exe

MD5 acae3016c17163b16355ea68758d18ab
SHA1 4d7b0db06c11df2b7127921aecaf8117d4571a2c
SHA256 9eb95e237a789f3de32a44222d1c598bf0d664c5b12f916708f1376964b62238
SHA512 ece435f7d124c7c01a0183caa2191b70cf16f73c224a4eb6da6207a3d03660b7abea1b317e531b5bcf36fbd2fd3338fe591e9ee1dfbe4da80f270297d96aeb3f

C:\Windows\SysWOW64\bbyadyhaeq.exe

MD5 8b3b630e06ba7998c7e273ad93023c95
SHA1 d474c437429278b8e010096a32da244ba75f4700
SHA256 8b496bae970ca6d3995d56dc17b7caaae49f4ab15b2e41ba38e524f0a838aafd
SHA512 77869c91cbb1acc34d11016a177fdc3a1b92a7f15733d58b4a8e373d7d8e99467c078ac00b2307c98327f66ddaf7baa1985200765b474094c040aef1bbbb97ce

C:\Windows\SysWOW64\ufkkztec.exe

MD5 a560edbaf9b346600834457d07bc5347
SHA1 ae33e11a86e360de9cf690334f63a3abb9e62dca
SHA256 231e2bf1132fbc597e86476bcf5ac1c8f11dd53aa6f5d3cae96a5a919640b727
SHA512 3b06399edd0f4b8116cbb233dd4cd958b306d7a73e0a5996f04e7d25749670b4d042ea955043dbeabdd1a66e1dd8eda20d7abae5c76c365ad5b971b027feb8b3

C:\Windows\SysWOW64\outejfrvabuow.exe

MD5 e8ed41959c85da8344ff3f3621ad2c9b
SHA1 070a523628a85aaba6244da4dd84e531b4f1dee7
SHA256 22d61946a4530106170e49b190d7231872b570fd527d0061f392e3cd518108fd
SHA512 b9cb389b0bfe13f7aa7eae199f831acb15fdda2497237a015443d31c4ae6469a42d896174bfea75f8b252a6c9ce3cc2e4b0429ce2358600fef20f263a683241b

memory/2020-37-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/2020-38-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/2020-39-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/2020-40-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/2020-41-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/2020-42-0x00007FF95C9A0000-0x00007FF95C9B0000-memory.dmp

memory/2020-43-0x00007FF95C9A0000-0x00007FF95C9B0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 786e8eef5ae896fb874e5815ad705aaa
SHA1 daf0d475fdc8b4d5f123844a4e60d5d3ed69c5af
SHA256 a2b82047368966157a25f3f9abfdfae35c20726c36ceb5481e002fe615ba915d
SHA512 e1c090ac9b942cae99fc234106ea0e4c3da535f2c32253e8577961056824d3f243759e2f93fa7bbcc484341e5a6d8a8ec21572ab73844dfcf8aca1943541575f

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 ea633d1de8fc1f16482f77813867dae7
SHA1 1d845aeaae65a7d08d6337f9e388c68c08d8416d
SHA256 a21ecca2d0d8293faf28fb0cecd0d65db74f1f3b40bb87256352b7b10a876e4e
SHA512 eb6f772c9af3db34407ac1f34e1a37a84c4e3be10d87756eeb9425e0c83d3fdda12d05c14fd75a999bc300c776edc6c9b33898e3b9b17eaf02861e0de4d5add2

C:\Program Files\MountUnpublish.doc.exe

MD5 fe42592edf7231dcedad3d5c8630721c
SHA1 a94410f7247190cfbb86c641ac5a08216d12feca
SHA256 5f987a7999c7090187712ea5213672f3fe0b1cf0a7757dfe682db623d4389ba1
SHA512 9ca205169bf4c6afc148e87f0422f427a84e4795392fe29736eba5f7e6e59937d5aeb3c95f77074d7aa03819275d2fffbc4f0ca102ee7583ba1431dc8c0ff543

C:\Program Files\TestDebug.doc.exe

MD5 3c128a06f4b67b844d2c3642e8b2d32b
SHA1 d9ac8c4b342057b87f5dadcd513d3d1b77bcab28
SHA256 1fec05fac01d28d0a5d04bb488f0bea448e1a59924c75c178d442d62ce29bd20
SHA512 0a3d02e87945bb7d7cf934f577c2e05e36d37159e27bc069123b5cc6ae7d008a846ad58e4f3c293462eacb1986c19b29a1dd4a65ccf6499f303791fb1a1936cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 2afaa0755abf506991c0d908adaea083
SHA1 4551563b85795c6c86e48e6c3f1e3daa8a8146c2
SHA256 090bb2bdd916ad2e9964667b47ecac321a4d73009e82b5dd1ff5910c3668ee59
SHA512 3e3dc7683cf8bf05b5266af818bd4d8ced89c72e4f446876cf333f6b53bd65587913bc85caa950064ea38e19e0bf9b881f137cb68019b21b5169eb717ab039a8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 60832a6f47f16e2cf1771d847cf0fe54
SHA1 ca1aef2c3b246c100b1b8a7a2ea2cd250ce0acbd
SHA256 cf7cf19a1b5805ec4b0686199f41817b059a618b09331d440fa2f9606867cbbb
SHA512 f5112f00ce40d5441ba294bbb28566407991f59ab06ce77443cb0a9aef3f89ee97133e3ccbdc397fb0bc74a92338058f431b46d2e696e38a6a6604c7bcf1ef73

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 996b9ce90b9ad79535bc82220e2d2948
SHA1 a8f529505ca2bdf85b1fcc541e0322f9709b0549
SHA256 8d665e77f4ebd7d0c6edd376b774d5a38f92e6f2fa59a6265f5468d2ae793c01
SHA512 e620d559643194f5ec1cbe68942487c463378b61e551cb06db76af4b86943de8fa02e1d1428814fba85036602312e34b25b586b6d091717fb42bb1d3965293e0

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 9bd4e83dcf3edba5221ca066402ec0c5
SHA1 1ad425e275cdd2fedee0a7a582960623f8432b22
SHA256 f84b02e315e61455f40a9aa5fe3b9ed4172fa3128697edc393ef2698a1a1bf1d
SHA512 732a128d15ef7bf92a4f0c3bf229067b9617e3f7827e528d23c82c0a0a99efd1c16cac8a8109826e79e55431da054774319ff2b9bb220be71e5edca8606d9668

C:\Users\Admin\AppData\Local\Temp\TCD8DD6.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/2020-607-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/2020-608-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/2020-609-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

memory/2020-606-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp