Malware Analysis Report

2025-08-10 14:13

Sample ID 240605-kh91zsbg97
Target 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118
SHA256 ef59ce22252d36c9da7b529a93a33edd78dab24a75c2cfc56b62d5b4e8b96bc3
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef59ce22252d36c9da7b529a93a33edd78dab24a75c2cfc56b62d5b4e8b96bc3

Threat Level: Known bad

The file 97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Windows security modification

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 08:37

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 08:37

Reported

2024-06-05 08:42

Platform

win7-20240508-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\cmwtettrsi.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\cmwtettrsi.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vfdpvjlh = "cmwtettrsi.exe" C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ywuydmrz = "pomqrpdkujqpkht.exe" C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "arimlpatwetzi.exe" C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\cmwtettrsi.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\cmwtettrsi.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\cmwtettrsi.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\cmwtettrsi.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cmwtettrsi.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pomqrpdkujqpkht.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sesbsbus.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sesbsbus.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pomqrpdkujqpkht.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\arimlpatwetzi.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\arimlpatwetzi.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\cmwtettrsi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sesbsbus.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\sesbsbus.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sesbsbus.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sesbsbus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sesbsbus.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C70F14E7DBB2B8C07CE9ECE737BC" C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\cmwtettrsi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C0C9D5582206A4277D477222DDC7CF664AB" C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F76BB3FE1B22D8D109D0A48A759162" C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\cmwtettrsi.exe N/A
N/A N/A C:\Windows\SysWOW64\cmwtettrsi.exe N/A
N/A N/A C:\Windows\SysWOW64\cmwtettrsi.exe N/A
N/A N/A C:\Windows\SysWOW64\cmwtettrsi.exe N/A
N/A N/A C:\Windows\SysWOW64\cmwtettrsi.exe N/A
N/A N/A C:\Windows\SysWOW64\sesbsbus.exe N/A
N/A N/A C:\Windows\SysWOW64\sesbsbus.exe N/A
N/A N/A C:\Windows\SysWOW64\sesbsbus.exe N/A
N/A N/A C:\Windows\SysWOW64\sesbsbus.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\sesbsbus.exe N/A
N/A N/A C:\Windows\SysWOW64\sesbsbus.exe N/A
N/A N/A C:\Windows\SysWOW64\sesbsbus.exe N/A
N/A N/A C:\Windows\SysWOW64\sesbsbus.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\arimlpatwetzi.exe N/A
N/A N/A C:\Windows\SysWOW64\pomqrpdkujqpkht.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\cmwtettrsi.exe
PID 2232 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\cmwtettrsi.exe
PID 2232 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\cmwtettrsi.exe
PID 2232 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\cmwtettrsi.exe
PID 2232 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\pomqrpdkujqpkht.exe
PID 2232 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\pomqrpdkujqpkht.exe
PID 2232 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\pomqrpdkujqpkht.exe
PID 2232 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\pomqrpdkujqpkht.exe
PID 2232 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\sesbsbus.exe
PID 2232 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\sesbsbus.exe
PID 2232 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\sesbsbus.exe
PID 2232 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\sesbsbus.exe
PID 2232 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\arimlpatwetzi.exe
PID 2232 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\arimlpatwetzi.exe
PID 2232 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\arimlpatwetzi.exe
PID 2232 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\arimlpatwetzi.exe
PID 1908 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmwtettrsi.exe C:\Windows\SysWOW64\sesbsbus.exe
PID 1908 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmwtettrsi.exe C:\Windows\SysWOW64\sesbsbus.exe
PID 1908 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmwtettrsi.exe C:\Windows\SysWOW64\sesbsbus.exe
PID 1908 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmwtettrsi.exe C:\Windows\SysWOW64\sesbsbus.exe
PID 2232 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2232 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2232 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2232 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2664 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2664 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2664 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2664 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmwtettrsi.exe

cmwtettrsi.exe

C:\Windows\SysWOW64\pomqrpdkujqpkht.exe

pomqrpdkujqpkht.exe

C:\Windows\SysWOW64\sesbsbus.exe

sesbsbus.exe

C:\Windows\SysWOW64\arimlpatwetzi.exe

arimlpatwetzi.exe

C:\Windows\SysWOW64\sesbsbus.exe

C:\Windows\system32\sesbsbus.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2232-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\pomqrpdkujqpkht.exe

MD5 0c9d93ad17306f464e80847bf838e67e
SHA1 bca14057dda91af53b9a96bb54949bcf3f647385
SHA256 ebb73eeeaf54a551760e340563ed2bd54a2c724b6630edba659a394999561716
SHA512 67be726557772c6cbbc54e276ec63a218dbc0273d5da3a1197001f28240be2402cab349e11196bc195858b6b29dc9c68147e1f22af414aa39b0447bec4fb8bb0

\Windows\SysWOW64\cmwtettrsi.exe

MD5 f524f81b68d7d0551be46dd9be19b467
SHA1 feea52047070cfa5cceb4149634055e8e474ebc5
SHA256 a6404528c4398000a1321778d07a9365280354b89f4faa2d764b935dcb80949e
SHA512 c8a97633e25adfc4e4b6857e690cf5b89474ef1469cefa6a43d32be034c3d06a64320c7ec3fc329b455d8a5a3d5d13a3d834f999cf28345b88a26537ce1201f7

\Windows\SysWOW64\sesbsbus.exe

MD5 e5b8281c3f131b25854dd21a80144482
SHA1 adbd3ac43c41225550fea1861230c3ad08965722
SHA256 a474e5e60a2a1d5df3f278b44e1cb305f244b4624ebf619beaaaa5f1cd1b1749
SHA512 799ef830dbb3d215e7d6c655fa19f5ff54a9393fe9339703e9a6b3d80adf85c84bae333794cfe49eb802460849343b11041e7206f57b81400e7883e8b0a56c78

\Windows\SysWOW64\arimlpatwetzi.exe

MD5 a497d8eda042c0d685c2d3d4025ee3b0
SHA1 f3fa333acbca8c5fa0d9ea9ef0c9bd01ac7b999a
SHA256 13b47913160217ca65674bd89b128666dd58449661f6f4f0144259f95bf65602
SHA512 e12f171d8f6a25af02027d7a13111690647ef5192abe2000a32ea549c193c14f9bd66c1113e3f75940d3b63ae8fd3986860d31e060e351d0120ec8a01d9f27e9

memory/2664-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 a3fa98311080ffa8d78c5a668e551601
SHA1 c1072893f7c07f29a471d50f19a5d4cba958d294
SHA256 b68d8fc61e259e5beeee5b4b53930c9fd3245b6fdd8cd36cd1a7483925f4083f
SHA512 65ed8c7c8a8a3d300c634bb6d37cdbe001d2b029086461473d6d28672b0769112b887b0bf0889b1773f20c85d87873b181470f5be900392c574d9443460cd114

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 ddb117511e838170a97c23a72cfb516c
SHA1 299f44038c63e9a2593f12821ddff1b84dd0a1aa
SHA256 1952527db987541d14dc78212b1510d55f9b49dbee54b069fd539d1a28dcec43
SHA512 302a7a4373f8af97252068e7c7c0301a3aff06fadf5135ee9a05b2d3391a0b9378714578b5ab1634dce8be573a64b8a9bcdb917ae9351b5418071250a1d2c6f4

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 5e38e1eb7010355c6fefab56dc376d70
SHA1 d7a6c292c6027a041edd55de94a73e9ae3da8c1d
SHA256 1b4ab45fc3bbe59cf0a84fed5b2dd2e6a5b248da6cc0f4d4777ab5806b4c7eca
SHA512 2b5590020a00a85fba80ac77d9f8e182f0d1d67cebd883f3683ff3c360772b74e422bec2656f2bbe247d9e84c379b29509d398860a389134b5edbe4aa9521b08

C:\Users\Admin\Documents\SwitchUndo.doc.exe

MD5 56e1df669f4f3541839e07f95cdac8de
SHA1 f2b32f0913c8212d78bda3d2fdd422a61cc66f67
SHA256 a7580ad494b3a1bfdfd0164e7bf05a2d53cb65000ce9411c5596d59d344becd4
SHA512 34f11dcde00c62a65fa647dc6e54bffde43ef2e56598a815c56637d7d56d9ab6bad862cb6f907a28873cd8548e0d2f7eb8021045bbe81fba1a1a68081fa3804b

memory/2664-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 9cf503a7e4075074d96473a63160c8e8
SHA1 f550dedca8191ccf03abb04ebedeb42e0dbfbfa4
SHA256 2b86a7bf9a9fb18293876f1215c84d37abadaead6412a8538689e924d140b8c1
SHA512 c49ad0275d2be86d4847ec3876225cf2dbe231cfb03dc942b53f5837bcf95cd21442b511ee750d7587d616524c0acb22f9ae91951ccfe87b681bcbbb33efb011

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 08:37

Reported

2024-06-05 08:42

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "efjjfwikvrqed.exe" C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tehekepg = "dwrngpjxkq.exe" C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rsaybjdh = "sktjpsiuyglpmys.exe" C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\m: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\stovwebt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\stovwebt.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sktjpsiuyglpmys.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\efjjfwikvrqed.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File created C:\Windows\SysWOW64\stovwebt.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File created C:\Windows\SysWOW64\dwrngpjxkq.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dwrngpjxkq.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\efjjfwikvrqed.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification C:\Windows\SysWOW64\sktjpsiuyglpmys.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\stovwebt.exe C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\stovwebt.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\stovwebt.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\stovwebt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\stovwebt.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C70B15E3DBB2B8BD7C97EDE534BA" C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472D7F9D5283516A4477D070552DD67D8565D8" C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BB0FE6C21DDD27BD0D28B799114" C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFABFFE10F19384093A4286EB3E94B3FD028843640239E1BA45E909A9" C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B02E47E1389D52C9BAD732E8D4BB" C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FFF8482A851B9145D6207D9CBDE6E634584566466344D790" C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
N/A N/A C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
N/A N/A C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
N/A N/A C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
N/A N/A C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
N/A N/A C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
N/A N/A C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
N/A N/A C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
N/A N/A C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
N/A N/A C:\Windows\SysWOW64\dwrngpjxkq.exe N/A
N/A N/A C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
N/A N/A C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
N/A N/A C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
N/A N/A C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
N/A N/A C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
N/A N/A C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
N/A N/A C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
N/A N/A C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
N/A N/A C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
N/A N/A C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\efjjfwikvrqed.exe N/A
N/A N/A C:\Windows\SysWOW64\efjjfwikvrqed.exe N/A
N/A N/A C:\Windows\SysWOW64\efjjfwikvrqed.exe N/A
N/A N/A C:\Windows\SysWOW64\efjjfwikvrqed.exe N/A
N/A N/A C:\Windows\SysWOW64\efjjfwikvrqed.exe N/A
N/A N/A C:\Windows\SysWOW64\efjjfwikvrqed.exe N/A
N/A N/A C:\Windows\SysWOW64\efjjfwikvrqed.exe N/A
N/A N/A C:\Windows\SysWOW64\efjjfwikvrqed.exe N/A
N/A N/A C:\Windows\SysWOW64\efjjfwikvrqed.exe N/A
N/A N/A C:\Windows\SysWOW64\efjjfwikvrqed.exe N/A
N/A N/A C:\Windows\SysWOW64\efjjfwikvrqed.exe N/A
N/A N/A C:\Windows\SysWOW64\efjjfwikvrqed.exe N/A
N/A N/A C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
N/A N/A C:\Windows\SysWOW64\sktjpsiuyglpmys.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A
N/A N/A C:\Windows\SysWOW64\stovwebt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3336 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\dwrngpjxkq.exe
PID 3336 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\dwrngpjxkq.exe
PID 3336 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\dwrngpjxkq.exe
PID 3336 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\sktjpsiuyglpmys.exe
PID 3336 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\sktjpsiuyglpmys.exe
PID 3336 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\sktjpsiuyglpmys.exe
PID 3336 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\stovwebt.exe
PID 3336 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\stovwebt.exe
PID 3336 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\stovwebt.exe
PID 3336 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\efjjfwikvrqed.exe
PID 3336 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\efjjfwikvrqed.exe
PID 3336 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Windows\SysWOW64\efjjfwikvrqed.exe
PID 3336 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3336 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3020 wrote to memory of 2096 N/A C:\Windows\SysWOW64\dwrngpjxkq.exe C:\Windows\SysWOW64\stovwebt.exe
PID 3020 wrote to memory of 2096 N/A C:\Windows\SysWOW64\dwrngpjxkq.exe C:\Windows\SysWOW64\stovwebt.exe
PID 3020 wrote to memory of 2096 N/A C:\Windows\SysWOW64\dwrngpjxkq.exe C:\Windows\SysWOW64\stovwebt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\97a50fa5b38ce05acef9a1c9b76d192c_JaffaCakes118.exe"

C:\Windows\SysWOW64\dwrngpjxkq.exe

dwrngpjxkq.exe

C:\Windows\SysWOW64\sktjpsiuyglpmys.exe

sktjpsiuyglpmys.exe

C:\Windows\SysWOW64\stovwebt.exe

stovwebt.exe

C:\Windows\SysWOW64\efjjfwikvrqed.exe

efjjfwikvrqed.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\stovwebt.exe

C:\Windows\system32\stovwebt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.200:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/3336-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\sktjpsiuyglpmys.exe

MD5 d2dc625c98fab67179c2d3da405ac7c1
SHA1 328ba204d5455f9efc1e59f2c6988d1214a51ac2
SHA256 14108fb8a466bf8752e52a74867a096233da384608d0cb4a83a7d308297f8dbf
SHA512 d5d80753cb0a1c1e1f9bfddaa818fddccb579b593a1165c497f1923685878711e62fd3533695c3e7a73c084745b6c409c1f07f2e061df6009458d0a9131fb046

C:\Windows\SysWOW64\dwrngpjxkq.exe

MD5 8b5cf7e730a18271c9fa2e51b78e69e5
SHA1 0feb05b27bb2d9307486ac7ef1b51c4f7ad83790
SHA256 2fc29bf4ce337ace23165dc2037614f1275babbbd3019bf264b678373395cb9c
SHA512 a78c8b3e0655ec9219bcb94c170f633d6b82cec50cd3bdcf5ec5817844b8cfe9c2888345130e78edfd78145040b49b7b4727f197069ab5d0c7052d1c1bde1d20

C:\Windows\SysWOW64\stovwebt.exe

MD5 f9765c0a0a1041f986f1afd10ec199d3
SHA1 a31482553f598720c7c310669b305e74c17a4106
SHA256 9e398e74af28a1030884329fdd699aff018978a76fdf277cb19b8e4bda35f766
SHA512 fdefe95332710e355d61946f7d7a3e459f1287c30191b7b2d4cbb97b2b6603bf9d31a6b8382b9acf806eb362c19408ea293cb4bce479d8289cedc117ecb51e4c

C:\Windows\SysWOW64\efjjfwikvrqed.exe

MD5 205541b8f99239212ea27f7bc59f0375
SHA1 a3a93f48169e3d9a877ecf59e7ab3d011aef0342
SHA256 8412be904d746807ecb0ab89212cbac52d802694d75ee5c69542ca04a2d6292e
SHA512 8df1299c0896688bd35417d8981fb0bc6bca9b682ba21c87420525bee9a08dae09b433b16efaeb6fe9c196a24b2307eb8a62c862de6e3ea2f0e14de9320dd400

memory/4180-37-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4180-36-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4180-35-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4180-38-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4180-39-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4180-40-0x00007FFE0C1B0000-0x00007FFE0C1C0000-memory.dmp

memory/4180-43-0x00007FFE0C1B0000-0x00007FFE0C1C0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 a2f476fb970ff4f078a53f0164f2b959
SHA1 531f3f100f11ff07c32df8d88038f4d5da7a58c3
SHA256 f35b49bd36bf81dbce2df6540b03155ca43ef30609b3ae1d947a62eaf289d2c9
SHA512 f3187e9e0465b004e3eb6320dfd1b75b37b79ff0240d989bd15cacc547a97d0a38a3b73deba81a824e71a2ae3306aab32cb692bde594dca3c2328eda16defe79

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 6884f1d57fd9eafc66efcf366d57f33a
SHA1 70ee0639e949cd40a87068a3534666349fcd0261
SHA256 4d6339085fd28bc876726935548007d934ceee6a5e5c6ec9dea19fa69bef629c
SHA512 2209164be30ad14f2fb26acf25f67fc9c43059fcd78b2354bda9840ebf9ab5539a28617c06ee0868407e631926de8d308eced815a55169ae1194a24228d364cc

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 61f640a47e9495bebf50d3a23c3bf66e
SHA1 9a3d05e209fea2912ce4284d2ee03f9abdad2af2
SHA256 81cccf7f8d33090e3754abc4d506fae994df5a6ca99f6468e3aa6bec5a44df58
SHA512 0728b027f3c25fba084d0438803b978cbaf318ae4c74778a6cabacd7c86a3902ac5aa47b8176b056aa428922ccecbc8fecf3612264bbcba4c75531d8731fa7a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 940ec4d209695f66fc258b7599860f4f
SHA1 b17a38821baae679d741ce8f5fec6f8b7baf2593
SHA256 705afb63f16757afc64e08b2b46d179346af146c3228b5a77a0ba0ff44abdee9
SHA512 c0b92d78e0b7709777b35d6978ee5f0e1cf34a12092230d8f8acc440bf380cf10cfad6b1512997f552afd5dc7c2cc3fe7a28bd2f71d3c8f4ed10f60e7602b845

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 8a91a0a8f27381b81a25ede12e8498cb
SHA1 a83c3761c1730a8eeb0e13db20b5175cd3b2463a
SHA256 792434584a8a97242982be254860b40cc30c46a5e7ecd221e866074c7b2c19e1
SHA512 52726a362a8b5daa530f042e86ac39991057c625325c22650be10bc98ca59eb55f056d6f638da1d03ab8b8ae5be711ace7b04d1f1a6abb0147a045fc600780fb

C:\Users\Admin\AppData\Local\Temp\TCD9870.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 877662c896d348dbc5844aef2d06af07
SHA1 b862a3c5edf6569e8abb6e67542dfd11d138fa90
SHA256 e316a98edfec8a8ce15ef7e9aca1163edfe8f4a15a9bde0798c7e52cace5f39a
SHA512 d3512a9ded4bde14c47d8b60e5a6ea30c32e31d39e3fbd32622d448fe3666b93d616f7863504db2c162cde428f4cfb69224ce30a0a7f29de032dca80c16ec367

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 1676917d6e3be65d16bbd18176aa5e8e
SHA1 0615cca028bbdb34120918229e69fe154fd8ee7c
SHA256 28fe4890fe0634d230dc06920ef2bc672dbee57c8d1cf897ef4b7701d3510911
SHA512 9b65d3ddc170f4cf556d89ab122a5f51079baaa455b4591f38342097227527c45b4e330d5d7098720842f54f8933e14b38a2fbac5fbe922031fb9699b71bff18

memory/4180-604-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4180-603-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4180-602-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/4180-601-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp