Malware Analysis Report

2025-04-14 00:32

Sample ID 240601-w3ameabg38
Target 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118
SHA256 8062a435db4a4bb89a349bcdbf48ac2c6f6c8c45874105fa8f568f1e1a21137b
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8062a435db4a4bb89a349bcdbf48ac2c6f6c8c45874105fa8f568f1e1a21137b

Threat Level: Known bad

The file 8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Windows security modification

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Modifies WinLogon

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 18:26

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 18:26

Reported

2024-06-01 18:28

Platform

win7-20240215-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jhmlcxcptxkzv.exe" C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qtdaxvcw = "ctkdsbcguh.exe" C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\amsyzywz = "wevidlszxhulggd.exe" C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\y: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fdhfrmad.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\jhmlcxcptxkzv.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\wevidlszxhulggd.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fdhfrmad.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\jhmlcxcptxkzv.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fdhfrmad.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
File created C:\Windows\SysWOW64\ctkdsbcguh.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ctkdsbcguh.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wevidlszxhulggd.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\fdhfrmad.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fdhfrmad.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fdhfrmad.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\fdhfrmad.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fdhfrmad.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67C14E1DBB2B9CE7F92ECE037BC" C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B12E47E6399D52CCBAA632EDD7BB" C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
N/A N/A C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
N/A N/A C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
N/A N/A C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
N/A N/A C:\Windows\SysWOW64\ctkdsbcguh.exe N/A
N/A N/A C:\Windows\SysWOW64\fdhfrmad.exe N/A
N/A N/A C:\Windows\SysWOW64\fdhfrmad.exe N/A
N/A N/A C:\Windows\SysWOW64\fdhfrmad.exe N/A
N/A N/A C:\Windows\SysWOW64\fdhfrmad.exe N/A
N/A N/A C:\Windows\SysWOW64\fdhfrmad.exe N/A
N/A N/A C:\Windows\SysWOW64\fdhfrmad.exe N/A
N/A N/A C:\Windows\SysWOW64\fdhfrmad.exe N/A
N/A N/A C:\Windows\SysWOW64\fdhfrmad.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\jhmlcxcptxkzv.exe N/A
N/A N/A C:\Windows\SysWOW64\wevidlszxhulggd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\ctkdsbcguh.exe
PID 2896 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\ctkdsbcguh.exe
PID 2896 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\ctkdsbcguh.exe
PID 2896 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\ctkdsbcguh.exe
PID 2896 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\wevidlszxhulggd.exe
PID 2896 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\wevidlszxhulggd.exe
PID 2896 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\wevidlszxhulggd.exe
PID 2896 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\wevidlszxhulggd.exe
PID 2896 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\fdhfrmad.exe
PID 2896 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\fdhfrmad.exe
PID 2896 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\fdhfrmad.exe
PID 2896 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\fdhfrmad.exe
PID 2896 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\jhmlcxcptxkzv.exe
PID 2896 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\jhmlcxcptxkzv.exe
PID 2896 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\jhmlcxcptxkzv.exe
PID 2896 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\jhmlcxcptxkzv.exe
PID 2896 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2896 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2896 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2896 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2456 wrote to memory of 2384 N/A C:\Windows\SysWOW64\ctkdsbcguh.exe C:\Windows\SysWOW64\fdhfrmad.exe
PID 2456 wrote to memory of 2384 N/A C:\Windows\SysWOW64\ctkdsbcguh.exe C:\Windows\SysWOW64\fdhfrmad.exe
PID 2456 wrote to memory of 2384 N/A C:\Windows\SysWOW64\ctkdsbcguh.exe C:\Windows\SysWOW64\fdhfrmad.exe
PID 2456 wrote to memory of 2384 N/A C:\Windows\SysWOW64\ctkdsbcguh.exe C:\Windows\SysWOW64\fdhfrmad.exe
PID 2372 wrote to memory of 2316 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2372 wrote to memory of 2316 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2372 wrote to memory of 2316 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2372 wrote to memory of 2316 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe"

C:\Windows\SysWOW64\ctkdsbcguh.exe

ctkdsbcguh.exe

C:\Windows\SysWOW64\wevidlszxhulggd.exe

wevidlszxhulggd.exe

C:\Windows\SysWOW64\fdhfrmad.exe

fdhfrmad.exe

C:\Windows\SysWOW64\jhmlcxcptxkzv.exe

jhmlcxcptxkzv.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\SysWOW64\fdhfrmad.exe

C:\Windows\system32\fdhfrmad.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2896-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\wevidlszxhulggd.exe

MD5 e0ea8fe86b69730b17c3c3df038da729
SHA1 e9120132c2f91a41232750404826533e5b2dcab1
SHA256 64ec255d4be4b4ef01c1de1316b8e9805c1f04ab9dcd5980139a5a7df8b9fdd8
SHA512 525db202312a48a044b878871c5e9833d8cb2d6466f15e10bd66247825cd047ffcf610246448e519eb7e6c066130bbc2e9840db23a2444a9c4d8db4c4aa79f3d

\Windows\SysWOW64\ctkdsbcguh.exe

MD5 ef5018285f934acf7b8837bcefa2af81
SHA1 f78bb2f879fec49f0b76b59a134ee7db9cd071b2
SHA256 e883ef5e0b4fad6f55a91d860ab882cbcda7a23e3074e7f49f09d7edbd2ccbc5
SHA512 2873526e09b70e82fc5c19c68051d599857e09a62dff7b1476db3b2af9aff76b2f9bf43d2151e5c7f89c89624e0ebf3d6ab294d3ed7bee6503fdaa6000a5d17a

C:\Windows\SysWOW64\jhmlcxcptxkzv.exe

MD5 9aded1de1b0a0a9aa767d3c463935fed
SHA1 d93a7591124ce55ee6ffd02f1e911dfedbe186ef
SHA256 2cd4419e9bb4556300cff34fe0ce99b88daed58487834a304f46d7e849bc3b80
SHA512 3b41bcda4ba15c09b1db558512b7b8726a326f9d162c8b34ea6e7a596f3c33da33c7d0c3de49317b3bfee62d4d02b8c0ea06244a1161fd77e4af1938d4ac6973

C:\Windows\SysWOW64\fdhfrmad.exe

MD5 588780b9f5e3375368da51ca2a6ff70d
SHA1 921512b72407a5eb59e6a79b10e63484c9397327
SHA256 c661e0f0abce22936be78ec6db68c480818a65989cbb4716e90faa3ddaa97367
SHA512 5625afe8bbe94a90d8f5052af9af998c5b213bb7fe9a289977369fa0353f7ac1946c197c87512e45cd9c30f57a821cc42257668b118631dc40d0d29210f08445

memory/2372-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 209d5ed911fc9d4ac51dde0b0c14b777
SHA1 1bd7b27ed62ac0ac44a5b6de45e6cc99ac29b9ef
SHA256 699ca2ee9c569925811f6a183370a898bfba57046e516981134fd910f6e51538
SHA512 b872ce0e60eda4eb8ad92c2c526a86ea95f1579811458f92cd5e9a0b917d9f3a6fec7938d0b7a3df0e0db6d324484035ed4e0be55dca652db4d7594b00b2a126

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 06b5ab938fbc1919af3235837eb7ec24
SHA1 084e31a1fd5a6b89878185c9ac00476a3a279631
SHA256 e6768f15c4d15fbee2489752fccfaafe9781e72ce168d56dfe77798599880b4f
SHA512 9331e045db668e58b38731fd1fa59f33ba05484d23e47d2a572397776d722ea4d97b052c3fe0d2b86b481c0e8b686a71a628b74b6ead1a422f4113f5b946d730

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 1d71268987454fb5c96e45e6e1669148
SHA1 1eb4563977c71f6558d25120ac9091aa8421ca03
SHA256 d95c7e93a1c97876bbb304876b897caaf76a994b709a82df669930efc6a12d60
SHA512 8f8dad24b4f62462a1cd70350bd912ad12692a0fa080241e3d4e1b8183090783428852ec8b707c2200261e7535cb50c280c476e819a4446095f8c3a2ec96169a

memory/2372-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 18:26

Reported

2024-06-01 18:28

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ievqqtaext.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ievqqtaext.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccluyuvv = "ievqqtaext.exe" C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmiqtewb = "tsvaavdjqrwcosc.exe" C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sjwfuvzfpdvsc.exe" C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rmkrjscs.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ievqqtaext.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ievqqtaext.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification C:\Windows\SysWOW64\ievqqtaext.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rmkrjscs.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File created C:\Windows\SysWOW64\ievqqtaext.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rmkrjscs.exe C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\rmkrjscs.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rmkrjscs.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BB6FE6822DDD179D1D28B7F9017" C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9CEFE6BF198830E3A47869F39E2B38E038F4216033AE1B8459C08A9" C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\ievqqtaext.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352C7D9D5682276D4677D470272CDB7C8665DD" C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC67C1590DBC5B9C07CE1ECE034CB" C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B15C47E5389953C4B9D132EFD4C5" C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFF8D4F278568903DD6217EE6BD92E632594366416246D7EE" C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\ievqqtaext.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\ievqqtaext.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\ievqqtaext.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ievqqtaext.exe N/A
N/A N/A C:\Windows\SysWOW64\ievqqtaext.exe N/A
N/A N/A C:\Windows\SysWOW64\ievqqtaext.exe N/A
N/A N/A C:\Windows\SysWOW64\ievqqtaext.exe N/A
N/A N/A C:\Windows\SysWOW64\ievqqtaext.exe N/A
N/A N/A C:\Windows\SysWOW64\ievqqtaext.exe N/A
N/A N/A C:\Windows\SysWOW64\ievqqtaext.exe N/A
N/A N/A C:\Windows\SysWOW64\ievqqtaext.exe N/A
N/A N/A C:\Windows\SysWOW64\ievqqtaext.exe N/A
N/A N/A C:\Windows\SysWOW64\ievqqtaext.exe N/A
N/A N/A C:\Windows\SysWOW64\rmkrjscs.exe N/A
N/A N/A C:\Windows\SysWOW64\rmkrjscs.exe N/A
N/A N/A C:\Windows\SysWOW64\rmkrjscs.exe N/A
N/A N/A C:\Windows\SysWOW64\rmkrjscs.exe N/A
N/A N/A C:\Windows\SysWOW64\rmkrjscs.exe N/A
N/A N/A C:\Windows\SysWOW64\rmkrjscs.exe N/A
N/A N/A C:\Windows\SysWOW64\rmkrjscs.exe N/A
N/A N/A C:\Windows\SysWOW64\rmkrjscs.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A
N/A N/A C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3640 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\ievqqtaext.exe
PID 3640 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\ievqqtaext.exe
PID 3640 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\ievqqtaext.exe
PID 3640 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe
PID 3640 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe
PID 3640 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe
PID 3640 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\rmkrjscs.exe
PID 3640 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\rmkrjscs.exe
PID 3640 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\rmkrjscs.exe
PID 3640 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe
PID 3640 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe
PID 3640 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe
PID 1432 wrote to memory of 2140 N/A C:\Windows\SysWOW64\ievqqtaext.exe C:\Windows\SysWOW64\rmkrjscs.exe
PID 1432 wrote to memory of 2140 N/A C:\Windows\SysWOW64\ievqqtaext.exe C:\Windows\SysWOW64\rmkrjscs.exe
PID 1432 wrote to memory of 2140 N/A C:\Windows\SysWOW64\ievqqtaext.exe C:\Windows\SysWOW64\rmkrjscs.exe
PID 3640 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3640 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8b5b4431f6219c2c8bd2d0ab07df3386_JaffaCakes118.exe"

C:\Windows\SysWOW64\ievqqtaext.exe

ievqqtaext.exe

C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe

tsvaavdjqrwcosc.exe

C:\Windows\SysWOW64\rmkrjscs.exe

rmkrjscs.exe

C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe

sjwfuvzfpdvsc.exe

C:\Windows\SysWOW64\rmkrjscs.exe

C:\Windows\system32\rmkrjscs.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4756 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/3640-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\tsvaavdjqrwcosc.exe

MD5 c025ee65631ac6b11d15735904c4cad9
SHA1 a989b9372927ae8428406adc13fa284d76cde534
SHA256 fdbe0dfb3d182683d1b558f3a9ddb97d5ff673511cacb4ad4c7c5d9c986f2068
SHA512 0390a11bc6b7b611d6d8a39456997805a0112d07d67c40e64d721b5693943690e817595b42f40d717c12f51d3e994ed9f51c1ba427924746105779979c4a7efc

C:\Windows\SysWOW64\ievqqtaext.exe

MD5 2f388e4afbaf7d2a8e2bbc6f3fd74337
SHA1 5a8425df0f11674d7407b825f461c47b5bfaaf57
SHA256 caee0c63e3ef9d621b76a343ba223dc0a0cdea51f9c37509020a9f58156f551e
SHA512 4870bfd0f3dd21014ccd4d4718b0d0d188e5d1859a53cfd1c3699b8b2458ccccd2195563abce38f3466062406fc198e96cccdd32534e15721d3152dd38f21919

C:\Windows\SysWOW64\rmkrjscs.exe

MD5 12ae4a3eea0f77aab0c9de36ff3adbb0
SHA1 372eddb719b9e9082daf7b03f5b222189eb2edc3
SHA256 edc67754cd3f98ea7be3c932d2a4a00146a447c1e571f96e4a94fbe1a806c184
SHA512 2033f70e106890109bfb5bda95f74ab820569fd480264ae2196fb00547543a68df81dd7442c78167d8892813045c133b50bc7630cb04d2441d30f717a0a9475c

C:\Windows\SysWOW64\sjwfuvzfpdvsc.exe

MD5 7496a4d6ca80098c1bd1bae5414e1454
SHA1 4b85b05dbb392db2b40628920257e270b0db0c42
SHA256 dc0a3a6dccb018eab430a1d06ffb8c1242beef15aae52263d8104e917b3cee25
SHA512 369296d0e9a6e92c962102641d83b25b54bff04d22ed8190ea0712b465a9c81c543cbaaad063c4a95b4736639ba28e89be8f19a245bbf1b897784be340db2eab

memory/216-39-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

memory/216-38-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

memory/216-37-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

memory/216-40-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

memory/216-41-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

memory/216-42-0x00007FFD54A60000-0x00007FFD54A70000-memory.dmp

memory/216-43-0x00007FFD54A60000-0x00007FFD54A70000-memory.dmp

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 2b1d7d265e8563ce7704d0a3594c10e8
SHA1 db2d6547ac66fccc991e255e459a2ed3601b7626
SHA256 4fdb9d87f28a2e6b11dee7ef029f4c69104940c82934a614bd47838dc905d7a5
SHA512 8048aee8d486c8d8b1ec7d6f0205d83b8851c2c5e530f42d786d82b1335a098db2089fdd384a11804a597f96ae3ec17d58d2d0506e7c10e046512c3e66b76aaf

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 24675de10e75a97ad49af794c99dddb7
SHA1 958325e02e4343178d1ff745ff3dea6a18ad0da0
SHA256 8e40ebca5d3f15f5ce40d986149f66597a701e3ff9ecfada7cca4565d0b5a786
SHA512 c090bd979e0935323dd01ac6c566e3308da4f9183b3e3ed579a74c496e41e9e6e224a4dd6f0a0c78e91cdff5f530b7c6aabdf12a666246770788425cb474510d

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 2d37dd58ea16348b4631aef1940c12b0
SHA1 f7b7c7c0dd79fa193e312fde4a9e86e94829636a
SHA256 c4b143e4b2dad9958c2a8267a90af690b99e988a567e628659e7ccb8ba0858fd
SHA512 57cdac35c0bdd5f50be03f2a691d8cd628d2fe49982c5abec8373cb79388b5eac55c77ae9caf26796c4a9bf387cc79c9ec9bca671af666834fe4a4d0762ef739

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 a8fc029397eea94631ad75a604df5fc3
SHA1 3721f8c8930368f66e3f185f0d9f47836f0bd13d
SHA256 86deeb8adc5320cf69a9abb1ae9963fb363beb36cec56a81f565bd253ae74cc9
SHA512 5ed4c5b7e507dc6056f03965e96fa613164c7abb8b2c71a1fd7c48699e2110b34756027011c13d4a5f1f92410c4ed98acd66759c29293e0ce882ae690ee3e246

C:\Users\Admin\AppData\Roaming\HideStart.doc.exe

MD5 9e715088d1697f1bca03a700dd659e63
SHA1 eaf97a07c0753e69b80031cedbe1ffadec3c30d6
SHA256 f98b9a97937ed570ce48ca1c6e466daa23351cf00e6d25f531ce5c8f42ee5f37
SHA512 f29a841d7946c205cdb4e4863bc5d023f87407e33e2072d733768e99e9cc7b44b4d34dbcf2a228ba49028c031c1238d8e7db433ae8979fbcd455b1a7cf84205e

C:\Users\Admin\Documents\DismountUndo.doc.exe

MD5 f7e1dbb77943e0412c65a771f54b5f9a
SHA1 24f66926080efe3251d4c01853572ec48738b6ed
SHA256 030884636b70923a39c1ee2fdf79108e55fb0bc069aa0171c7360bbc5e634968
SHA512 be5eb9ab31a8bd50efbd6a4bf098f507494484f86d9f0ba1396e02d21c8c763edc6dd7a5487c355e8a8be31576b8b30cf7234b22b082dfad514230854890ba17

memory/216-125-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

memory/216-124-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

memory/216-123-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

memory/216-122-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 13b8b5c75e6e542e1962989a83e56042
SHA1 b033721b7da5cdc6ba0a24f96f7bafcb14004492
SHA256 76018c87a8f5dad5d4dc81ba171baf542f38597b240a5cd34391f540b2b9c1e9
SHA512 bbc11db570ff247ad9ebe5e3db168af415e636fe9e82fd7d8aac70ba5fb914e2546871ebcbcbe21fb7052173acccc3940200551cef64c89f450bafec5dfc2e79

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 6e85f786c2fde4d057f4e32f5f88634c
SHA1 1fe254a018ce0d4e0b723f6b0ade8793777bed21
SHA256 1fd02d315d1e1278657702b203c479bf9d656a193dc3330062714e44fb429fe3
SHA512 398130f396b712588e8a88bade1d4346f1f834838aa17b7aa2530afa3a70f8b99260b10f5eb371254112807be990134f86414252ef9f5e20f6fc737af80e5100