Malware Analysis Report

2024-11-30 06:36

Sample ID 240612-v34ptaxbpm
Target a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118
SHA256 c1a0690dfbdfa9a48eaa977809e214981c5bcbbf89ba85f2092cecf0e898f78e
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1a0690dfbdfa9a48eaa977809e214981c5bcbbf89ba85f2092cecf0e898f78e

Threat Level: Known bad

The file a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:31

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:31

Reported

2024-06-12 17:34

Platform

win7-20240611-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\wkquytsedy.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\wkquytsedy.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iiaeirpo = "troupxyfbvrhbhm.exe" C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "natxzkesmkhml.exe" C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\akqtgepp = "wkquytsedy.exe" C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wkquytsedy.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\pjevjigi.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\wkquytsedy.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wkquytsedy.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\wkquytsedy.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\natxzkesmkhml.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\natxzkesmkhml.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\troupxyfbvrhbhm.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\troupxyfbvrhbhm.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pjevjigi.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pjevjigi.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\wkquytsedy.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pjevjigi.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pjevjigi.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pjevjigi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFFF94F5F82199032D72C7D90BCEEE1445935674F6333D798" C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB1204792389D53C4BAA23292D7CF" C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\wkquytsedy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\wkquytsedy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\wkquytsedy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\wkquytsedy.exe N/A
N/A N/A C:\Windows\SysWOW64\wkquytsedy.exe N/A
N/A N/A C:\Windows\SysWOW64\wkquytsedy.exe N/A
N/A N/A C:\Windows\SysWOW64\wkquytsedy.exe N/A
N/A N/A C:\Windows\SysWOW64\wkquytsedy.exe N/A
N/A N/A C:\Windows\SysWOW64\pjevjigi.exe N/A
N/A N/A C:\Windows\SysWOW64\pjevjigi.exe N/A
N/A N/A C:\Windows\SysWOW64\pjevjigi.exe N/A
N/A N/A C:\Windows\SysWOW64\pjevjigi.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\pjevjigi.exe N/A
N/A N/A C:\Windows\SysWOW64\pjevjigi.exe N/A
N/A N/A C:\Windows\SysWOW64\pjevjigi.exe N/A
N/A N/A C:\Windows\SysWOW64\pjevjigi.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\natxzkesmkhml.exe N/A
N/A N/A C:\Windows\SysWOW64\troupxyfbvrhbhm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\wkquytsedy.exe
PID 2804 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\wkquytsedy.exe
PID 2804 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\wkquytsedy.exe
PID 2804 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\wkquytsedy.exe
PID 2804 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\troupxyfbvrhbhm.exe
PID 2804 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\troupxyfbvrhbhm.exe
PID 2804 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\troupxyfbvrhbhm.exe
PID 2804 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\troupxyfbvrhbhm.exe
PID 2804 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\pjevjigi.exe
PID 2804 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\pjevjigi.exe
PID 2804 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\pjevjigi.exe
PID 2804 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\pjevjigi.exe
PID 2804 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\natxzkesmkhml.exe
PID 2804 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\natxzkesmkhml.exe
PID 2804 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\natxzkesmkhml.exe
PID 2804 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\natxzkesmkhml.exe
PID 2708 wrote to memory of 2556 N/A C:\Windows\SysWOW64\wkquytsedy.exe C:\Windows\SysWOW64\pjevjigi.exe
PID 2708 wrote to memory of 2556 N/A C:\Windows\SysWOW64\wkquytsedy.exe C:\Windows\SysWOW64\pjevjigi.exe
PID 2708 wrote to memory of 2556 N/A C:\Windows\SysWOW64\wkquytsedy.exe C:\Windows\SysWOW64\pjevjigi.exe
PID 2708 wrote to memory of 2556 N/A C:\Windows\SysWOW64\wkquytsedy.exe C:\Windows\SysWOW64\pjevjigi.exe
PID 2804 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2804 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2804 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2804 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2424 wrote to memory of 2164 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2424 wrote to memory of 2164 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2424 wrote to memory of 2164 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2424 wrote to memory of 2164 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe"

C:\Windows\SysWOW64\wkquytsedy.exe

wkquytsedy.exe

C:\Windows\SysWOW64\troupxyfbvrhbhm.exe

troupxyfbvrhbhm.exe

C:\Windows\SysWOW64\pjevjigi.exe

pjevjigi.exe

C:\Windows\SysWOW64\natxzkesmkhml.exe

natxzkesmkhml.exe

C:\Windows\SysWOW64\pjevjigi.exe

C:\Windows\system32\pjevjigi.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2804-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\troupxyfbvrhbhm.exe

MD5 5734c58a04278a3a535a365e8c45aab5
SHA1 18f6d35c7bfb70c2a26e32fd3eb4b242806c194e
SHA256 da7dcc83cadb38df0e39801411d32e55cfccc2eeebe459d529ef3fe66fed0c1e
SHA512 6c182bec60d455455dd489c41e2775780c94e656d41e3b4b7c833fab4dd93d5a553c803e698f0ab6a97b6324b8922462c998b0dddcefb2997b14b0ce4a9fdbfb

\Windows\SysWOW64\wkquytsedy.exe

MD5 7c07820b92c2b8b291a309d2efee302d
SHA1 e8a7b9ee04e6657606975f3f5637cee407e6fab1
SHA256 0a3cd23aa2300a2995ac4512dc35c90ec590e6d5c739ccdda45a1b7a84c32f31
SHA512 2f64dd5ecf5304817ef910cc2a025d128a93daaeee893e49563b79f361542636a378b759e862868ea98727b459cf2d174646bd9829c7ac7f0361173741639dd3

\Windows\SysWOW64\pjevjigi.exe

MD5 32cbd9764add8beec2b8784553f2bc21
SHA1 73723424fa4fec7ba732ac78f92c5f52c5fa8b1b
SHA256 b83df70dc3cb216f028ff85dc7e97a34edf8950e47ebfc8488b07e7d11a0d43b
SHA512 f7099e2a7bbf87f45e61d6568771a0cc404c5aa0c215fca50b1633442c0998cea6c0328822394142819955fe194cd40d648bceea3a554c9bfc8181f1c357d579

\Windows\SysWOW64\natxzkesmkhml.exe

MD5 6bafa195d06cca08c7a29cac5dfeada3
SHA1 b3f6ff4acc8ecc8efaa0668690424bcf6f30337e
SHA256 3e1bd7477580f7a909a69ba8fa9b392d865990547191cbcb39196ee004528aa4
SHA512 eff28e15b392043db33acfff048f01f805dae24f6530970e26dfec4f5689fe435c8550271fb67b3d98de4a49a193a4e5c7b9d45f5aebaa619bb0f6b92fdec1e4

memory/2424-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 396919d223da2fce5e703c55967219a0
SHA1 e7ef2fa5af1088b192bb5855b8e99f2baf9cb7af
SHA256 5fff5457a6dc5483254b4de91577df61ee9bd2dd5c1a23c1c0fdd5e7c42af8de
SHA512 018cbe76eef4c65f3ba3fb531174d8387fba935f40fa647860c65577de4b1f4fadcac7f3233b438dc52449d2235ec0c3dd419e15fcd66e1934adcb47c4196cc5

memory/2424-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 17:31

Reported

2024-06-12 17:34

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vlibmzfi = "jcwjmvhybs.exe" C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oshdfltk = "lqggkrwcjuiaogi.exe" C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "esrbvnysmhucr.exe" C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ywjzutvv.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\esrbvnysmhucr.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\esrbvnysmhucr.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification C:\Windows\SysWOW64\jcwjmvhybs.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ywjzutvv.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ywjzutvv.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\jcwjmvhybs.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ywjzutvv.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ywjzutvv.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ywjzutvv.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302C7B9D5583556A3177D6702E2DD77DF565DA" C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F76BB9FE6D21DAD27DD1A48A7F9163" C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FCFF4F5D85139045D7297E9CBCEEE144593066426346D6ED" C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9F9CCF96AF1E7837B3A43819C3992B0FC03F143610338E1B842E708A3" C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B02D47E438E852CBB9D63393D4B9" C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC70B1593DABFB8B97CE8ECE534BB" C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\jcwjmvhybs.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
N/A N/A C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
N/A N/A C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
N/A N/A C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
N/A N/A C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
N/A N/A C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
N/A N/A C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
N/A N/A C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
N/A N/A C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
N/A N/A C:\Windows\SysWOW64\jcwjmvhybs.exe N/A
N/A N/A C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A
N/A N/A C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A
N/A N/A C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A
N/A N/A C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A
N/A N/A C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A
N/A N/A C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A
N/A N/A C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A
N/A N/A C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A
N/A N/A C:\Windows\SysWOW64\esrbvnysmhucr.exe N/A
N/A N/A C:\Windows\SysWOW64\esrbvnysmhucr.exe N/A
N/A N/A C:\Windows\SysWOW64\esrbvnysmhucr.exe N/A
N/A N/A C:\Windows\SysWOW64\esrbvnysmhucr.exe N/A
N/A N/A C:\Windows\SysWOW64\esrbvnysmhucr.exe N/A
N/A N/A C:\Windows\SysWOW64\esrbvnysmhucr.exe N/A
N/A N/A C:\Windows\SysWOW64\esrbvnysmhucr.exe N/A
N/A N/A C:\Windows\SysWOW64\esrbvnysmhucr.exe N/A
N/A N/A C:\Windows\SysWOW64\esrbvnysmhucr.exe N/A
N/A N/A C:\Windows\SysWOW64\esrbvnysmhucr.exe N/A
N/A N/A C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A
N/A N/A C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe N/A
N/A N/A C:\Windows\SysWOW64\esrbvnysmhucr.exe N/A
N/A N/A C:\Windows\SysWOW64\esrbvnysmhucr.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A
N/A N/A C:\Windows\SysWOW64\ywjzutvv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\jcwjmvhybs.exe
PID 4948 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\jcwjmvhybs.exe
PID 4948 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\jcwjmvhybs.exe
PID 4948 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe
PID 4948 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe
PID 4948 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe
PID 4948 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\ywjzutvv.exe
PID 4948 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\ywjzutvv.exe
PID 4948 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\ywjzutvv.exe
PID 4948 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\esrbvnysmhucr.exe
PID 4948 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\esrbvnysmhucr.exe
PID 4948 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Windows\SysWOW64\esrbvnysmhucr.exe
PID 624 wrote to memory of 1012 N/A C:\Windows\SysWOW64\jcwjmvhybs.exe C:\Windows\SysWOW64\ywjzutvv.exe
PID 624 wrote to memory of 1012 N/A C:\Windows\SysWOW64\jcwjmvhybs.exe C:\Windows\SysWOW64\ywjzutvv.exe
PID 624 wrote to memory of 1012 N/A C:\Windows\SysWOW64\jcwjmvhybs.exe C:\Windows\SysWOW64\ywjzutvv.exe
PID 4948 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4948 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b_JaffaCakes118.exe"

C:\Windows\SysWOW64\jcwjmvhybs.exe

jcwjmvhybs.exe

C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe

lqggkrwcjuiaogi.exe

C:\Windows\SysWOW64\ywjzutvv.exe

ywjzutvv.exe

C:\Windows\SysWOW64\esrbvnysmhucr.exe

esrbvnysmhucr.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\ywjzutvv.exe

C:\Windows\system32\ywjzutvv.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4140,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
SE 23.201.43.41:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 41.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/4948-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\lqggkrwcjuiaogi.exe

MD5 740d7186d0f52eaaa73a44e4618238c6
SHA1 95b1fa21603417db227fb969fdd1dd2b2c58bcdb
SHA256 336a5920b354a52ab94effb68a713d2dd93af4635a996faeddb88b623689e22b
SHA512 556f84c2465f3501ce7b7234b6a1abc01fdc43405d69982c2ff5aa3c1dbac0acb898dc397b8b8daf776ecf2ca910c5e55e22932e0f813bd99ac88d5a9dc9be37

C:\Windows\SysWOW64\jcwjmvhybs.exe

MD5 92b3e40ec4d131e9a977a92f3833ce81
SHA1 01d27e71a898fd80dcf56f13063c7120b7a5b6ad
SHA256 c810058af90bd60d5905d97fd77c915cdc5db3ef19841904fa2afbf939b96fdd
SHA512 d955cb1942c22524df5dc715d4e54370e4c3b1106dc7de9465b031b86f0783f9df8555f08319c135556aed7c8c32601628b26f36e676c3ad818691da22a5d12e

C:\Windows\SysWOW64\esrbvnysmhucr.exe

MD5 edcd4de4ea0defbcd6e194603abef10c
SHA1 b077190c6e8228f69591db432566262855886455
SHA256 ff52baac6ae884b70e157fb20c6061cbf98f73c22660310bc73efe787289e847
SHA512 b443b42a8d90029219a47d7e230a9e2d2ad843ddb431a0f63e56e145d4c2b42cdefc43493c4e62e127ae3ce4a68c6e2d3fe54ef36c9d0a847fb128c2f723f5bd

C:\Windows\SysWOW64\ywjzutvv.exe

MD5 a13a6ffdaaec1f762e1dad751db91aa7
SHA1 3306915caea8a0e60b254addf95b19455ebe45f1
SHA256 ec84856f8d98552228c1aabe6fb3e57364c1c5f5d564a753694d12abe57d86a7
SHA512 df4782d91cf57cd3cd387c8e876988fd9514e4591d41bb9f93ef2a5b41a664d8038d09d3ee900804b697dbf49eab92f4196d9fa6f0d3a4cff99db04a1d750caa

memory/4736-37-0x00007FF8C0730000-0x00007FF8C0740000-memory.dmp

memory/4736-39-0x00007FF8C0730000-0x00007FF8C0740000-memory.dmp

memory/4736-38-0x00007FF8C0730000-0x00007FF8C0740000-memory.dmp

memory/4736-40-0x00007FF8C0730000-0x00007FF8C0740000-memory.dmp

memory/4736-41-0x00007FF8C0730000-0x00007FF8C0740000-memory.dmp

memory/4736-42-0x00007FF8BDF50000-0x00007FF8BDF60000-memory.dmp

memory/4736-43-0x00007FF8BDF50000-0x00007FF8BDF60000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 e9ad4cc4e576a3d1907fabb1c6a29639
SHA1 ab1dc37cf2e6adb469c50b8f710063f9b0472d73
SHA256 8894289cda3fff197e0e5fcd944e5f6e6982740122386ef2264d100ab6db91f6
SHA512 61c29d70dedfdf4c62561a3350d770c7ff943095000025524ac9d7903f973892dc3c8a0fa15fe27969f4055d368260dccbad6dced76a1d6a91ebafae0b5ebc24

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 2c6714d28986998f5b6fdd0c465ebdcb
SHA1 9781713aeacf768d1d1e30f7ad7d263d1075719d
SHA256 9dd05f1627d0d012ea0cee57221ef96728ca6500ba689ad64cfd9c0e1d3fc8fb
SHA512 16d72cee5c0c2f3ddfabaf07bc44113e06d7557c1a182b501c8c320ed1a1748f85d477f406a256403a7e25de86a878d9bcc080fa4db95815a2acc69121730831

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 9602243b30e5c3ae58bc2bbd7e5b3a1b
SHA1 b238f814f7291f007a55c727b7e7d2cbebe4d82a
SHA256 9b32abc364f95363cb7ce4003b8a2af743308be9b3c86c2d8d32539170b7c95e
SHA512 7c3ed3161903bcd00411567020555740e60b62a1fe51a2df0e68d75ef57c510407a6e729d9ff670010d2db959f6c75226872237d7e44a44d5517cb154ec5892c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 607856e207df66aafb6a180a60756a69
SHA1 51701c3412df1828d7ab5e7e94947d1f5efe4d49
SHA256 0827e52b01eb2ab4fd8c50fad41a4d843d672353da5b75684cbfdb4e9125b61b
SHA512 52296a46497093c99e19c39d15ce84c149b956e1407c078a97a3fc1626296c6b1212e5edf9b24203386fb7266f1da2cf701489c846c3e4c1d10eb3a9f3e81aff

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 6926116dfab20f4c9504e42e1702e7f9
SHA1 04aa3eebb8f9f07c15216d8c4d7107cd66e46fa0
SHA256 b13be05721a6b6efe94e1411509c05d1ecca991017721a3c680536501c7eae90
SHA512 075992cb404cc02036f5f91a4d5c67d93080277aa8f7822f5498aa51e9a26c2648584e188c48e14822d1254939e20219bf7032f5ab3b07336ef39d0cd100b67d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 e0e1fe7b060056cd9310f79dbc0fdd3a
SHA1 c736e7c669e9cc03818a7663534c0bec0cee0b13
SHA256 26445057aaac9490d28f8aad76914e608c6a7ad96391425b77924f6e0728e937
SHA512 e5b4501c609fd3ea480e7766694b477c55a4536dd18b228cebf5687bff3cea7223f6bd8a6169346a6cf8063625875137e974b1cfef0c76cb4223915af2d87ebd

C:\Users\Admin\AppData\Local\Temp\TCD1AF1.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/4736-596-0x00007FF8C0730000-0x00007FF8C0740000-memory.dmp

memory/4736-595-0x00007FF8C0730000-0x00007FF8C0740000-memory.dmp

memory/4736-594-0x00007FF8C0730000-0x00007FF8C0740000-memory.dmp

memory/4736-593-0x00007FF8C0730000-0x00007FF8C0740000-memory.dmp