Malware Analysis Report

2024-11-30 06:41

Sample ID 240612-wcczvaxemp
Target a193e4b273ce369338408e550ecd76d5_JaffaCakes118
SHA256 729fc5a004f4f978a1bb2ea3e7ee8ea12e1896be1cab5ea5afc21f6cee495c43
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

729fc5a004f4f978a1bb2ea3e7ee8ea12e1896be1cab5ea5afc21f6cee495c43

Threat Level: Known bad

The file a193e4b273ce369338408e550ecd76d5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:46

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:46

Reported

2024-06-12 17:48

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ozrhqepb = "cnjfivaddg.exe" C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zzekemvk = "ckgyxponxesyekh.exe" C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dmqujnuvwhgxo.exe" C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\odpujvjy.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\cnjfivaddg.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dmqujnuvwhgxo.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\odpujvjy.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dmqujnuvwhgxo.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened for modification C:\Windows\SysWOW64\cnjfivaddg.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ckgyxponxesyekh.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ckgyxponxesyekh.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\odpujvjy.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\odpujvjy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FF8A4F58826D9132D7297E90BC92E635593067406236D79B" C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B12E44EE389853C4B9D4329FD4CF" C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFABFF96AF29084783A4186ED39E6B3FE02F14212024BE1CB42EB08A2" C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1296 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\cnjfivaddg.exe
PID 1296 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\cnjfivaddg.exe
PID 1296 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\cnjfivaddg.exe
PID 1296 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\cnjfivaddg.exe
PID 1296 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\ckgyxponxesyekh.exe
PID 1296 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\ckgyxponxesyekh.exe
PID 1296 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\ckgyxponxesyekh.exe
PID 1296 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\ckgyxponxesyekh.exe
PID 1296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 1296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 1296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 1296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 1296 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\dmqujnuvwhgxo.exe
PID 1296 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\dmqujnuvwhgxo.exe
PID 1296 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\dmqujnuvwhgxo.exe
PID 1296 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\dmqujnuvwhgxo.exe
PID 2624 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cnjfivaddg.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 2624 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cnjfivaddg.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 2624 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cnjfivaddg.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 2624 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cnjfivaddg.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 2568 wrote to memory of 2476 N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2476 N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2476 N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2476 N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\dmqujnuvwhgxo.exe
PID 2476 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\dmqujnuvwhgxo.exe
PID 2476 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\dmqujnuvwhgxo.exe
PID 2476 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\dmqujnuvwhgxo.exe
PID 1296 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1296 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1296 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1296 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 776 wrote to memory of 2156 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 776 wrote to memory of 2156 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 776 wrote to memory of 2156 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 776 wrote to memory of 2156 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe"

C:\Windows\SysWOW64\cnjfivaddg.exe

cnjfivaddg.exe

C:\Windows\SysWOW64\ckgyxponxesyekh.exe

ckgyxponxesyekh.exe

C:\Windows\SysWOW64\odpujvjy.exe

odpujvjy.exe

C:\Windows\SysWOW64\dmqujnuvwhgxo.exe

dmqujnuvwhgxo.exe

C:\Windows\SysWOW64\odpujvjy.exe

C:\Windows\system32\odpujvjy.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c dmqujnuvwhgxo.exe

C:\Windows\SysWOW64\dmqujnuvwhgxo.exe

dmqujnuvwhgxo.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1296-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ckgyxponxesyekh.exe

MD5 a62675f7fdb77f5ad920b6d5040dd0d8
SHA1 4930f8858ead41f388495c04fca28547780ce2d4
SHA256 ef926e17e5ad2a7c2a6b96220b55e6e065b2ead9fedc54d0d67b245eecde37e1
SHA512 918cf46f767081b5a3ac3fdb5af2e5548ce740fccdc69db5e7b01b163727ec3284f123b3e6fcbc83eb731f381f525236a112e90a75a58e629f3cfeae5ef5043a

\Windows\SysWOW64\cnjfivaddg.exe

MD5 b1eaaea4375d1ef107c2b809ee512473
SHA1 14b78d8c6f9d8b307e6f7db65d587ad242b323d7
SHA256 21c75870514f23c26683e6d05417a5705b360d6eda81117f3b2276f3ec787912
SHA512 ed5d5b3a0fdbdf97bd4bf23789fb5867390c058e251952e8a2209f4946645a5d9406459d58def3faa2d939cbae53531e82e5d4915b74f27dee84afbe9e9c7cba

\Windows\SysWOW64\odpujvjy.exe

MD5 791e12c32d82d1c3aedbeee0b283dad1
SHA1 9410f2533fd39cc61e38ac8cd9c80b5fc46e8e92
SHA256 a76212ecc604f4eeb38e98c39a07c9797a09eed4137a9d39c22c74b69e931029
SHA512 6577475e2241768ccbb5a6a44c22a039a4b2e26674bbc51db963817c5cdd90080fa9348884bf37c882bb3c867e9569e76649debed4ea34b8a60cba74a0089c9f

\Windows\SysWOW64\dmqujnuvwhgxo.exe

MD5 13b7e16727a71bae3fb90f9be7ff60bb
SHA1 7dabeacaa7ef8d13c491d8a0b399fbe658659feb
SHA256 4d75952c0a62ec4b6a17bc9f87c3a2f299c30633095fdc6103919e289423ab9e
SHA512 45c198f541a1fc22d5cb4336fb7e5d7e483f3a003a5c7cb6ca3f3ccf284ca63bc302808b04ea766f8d519a3fc97923cd06813e6500a821c425f9cc8e96e349d7

memory/776-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 ea0d8b8a15675aaf8c4d3d24619d134f
SHA1 eb299766303dc96d71362c6e4938693bf3d6e356
SHA256 10e390f404347d65a76182f7156adbfb5980359a95aafc9504002b398a1eb459
SHA512 e1248b42d17215441e282fc40064c49a9e54208d640fe0025ad5215c2498d690b221b0b2816c235f99c983b9c97e3b367351d860b7bee80318ec6fef09895765

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 e96056f4982a3308d9f545a11d839c4c
SHA1 c17ba43bbc9d826a205554149e42a253224564d0
SHA256 e18fc5c57760100f23c7f8342c6cd55f87ea38ad93817d912a8877b9952f30b2
SHA512 c68d294bf35d0f87abf0beb621dd197e07d844b39382cfe62e3bcac8891d0d026f4b8a0f30f40cd38365ed5e5ce057cefda9b0a339a0beead5f79bc97c8d0198

memory/776-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 17:46

Reported

2024-06-12 17:48

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dmqujnuvwhgxo.exe" C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozrhqepb = "cnjfivaddg.exe" C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zzekemvk = "ckgyxponxesyekh.exe" C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\odpujvjy.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File created C:\Windows\SysWOW64\cnjfivaddg.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\odpujvjy.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dmqujnuvwhgxo.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\odpujvjy.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\cnjfivaddg.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Windows\SysWOW64\cnjfivaddg.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ckgyxponxesyekh.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ckgyxponxesyekh.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dmqujnuvwhgxo.exe C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\odpujvjy.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\odpujvjy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\odpujvjy.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768C6FF6621D0D108D0D28B799113" C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC77B15E7DAB0B8C17CE9ECE334BB" C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B12E44EE389853C4B9D4329FD4CF" C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FF8A4F58826D9132D7297E90BC92E635593067406236D79B" C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C769C2383596A3577D670272CDA7DF364DE" C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\cnjfivaddg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFABFF96AF29084783A4186ED39E6B3FE02F14212024BE1CB42EB08A2" C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\cnjfivaddg.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\ckgyxponxesyekh.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\dmqujnuvwhgxo.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\cnjfivaddg.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A
N/A N/A C:\Windows\SysWOW64\odpujvjy.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\cnjfivaddg.exe
PID 1316 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\cnjfivaddg.exe
PID 1316 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\cnjfivaddg.exe
PID 1316 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\ckgyxponxesyekh.exe
PID 1316 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\ckgyxponxesyekh.exe
PID 1316 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\ckgyxponxesyekh.exe
PID 1316 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 1316 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 1316 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 1316 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\dmqujnuvwhgxo.exe
PID 1316 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\dmqujnuvwhgxo.exe
PID 1316 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Windows\SysWOW64\dmqujnuvwhgxo.exe
PID 1316 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1316 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 5032 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cnjfivaddg.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 5032 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cnjfivaddg.exe C:\Windows\SysWOW64\odpujvjy.exe
PID 5032 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cnjfivaddg.exe C:\Windows\SysWOW64\odpujvjy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a193e4b273ce369338408e550ecd76d5_JaffaCakes118.exe"

C:\Windows\SysWOW64\cnjfivaddg.exe

cnjfivaddg.exe

C:\Windows\SysWOW64\ckgyxponxesyekh.exe

ckgyxponxesyekh.exe

C:\Windows\SysWOW64\odpujvjy.exe

odpujvjy.exe

C:\Windows\SysWOW64\dmqujnuvwhgxo.exe

dmqujnuvwhgxo.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\odpujvjy.exe

C:\Windows\system32\odpujvjy.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 52.111.227.11:443 tcp

Files

memory/1316-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ckgyxponxesyekh.exe

MD5 d6132b33e8efca5e8a9d8284ce938828
SHA1 54cebe849f81908802e4f98b6c552099df6fdc75
SHA256 48d82ae1a01f022292d30e1b0e0f13d1a2cab52eff5820d647c8d8134156035a
SHA512 f823ae45aedb13e89a76b8e8add14d7718b0d743e0b961d09861627be5c07c637b82bb805c31a9fcc114c521c962441d38e49765f90944a12a0887c2d91e448f

C:\Windows\SysWOW64\odpujvjy.exe

MD5 00435d70379a11c9dc31ef4c048a0e8e
SHA1 8551085e53d505bb81483bf86e5eb4914d6e6bd0
SHA256 8843eb83c6d0a727492fbea200074d14ab9f93e358ead5c98bb140b46d8624c9
SHA512 840763bd03faf9127041cfdd3d3c12c051b9aef64f4d39f7939557bdc2bf0fdd640794791853d99e942e8581839be026e54581f4ff2609ab50442a5340c78ebb

C:\Windows\SysWOW64\cnjfivaddg.exe

MD5 d6539de7eb253abac0a25bc7cfdec48d
SHA1 5038e39c014139682fd3234c49c3107138823014
SHA256 b227b4bb158897e03d2cc0e2c9c157451d79b777c4e5ba206e348ab9f9887e63
SHA512 efe0ca2cd842d16d51cc32a4e5703a6b6ad45e5982a16841c37dc13af219dd7755dc559d2fc954f64e61a2fb81d6ec9a202e8c832f192392a6bd23828a475f98

C:\Windows\SysWOW64\dmqujnuvwhgxo.exe

MD5 752bdb36acea7b8558a6a92ee7c051bd
SHA1 c28221df66167f913dc0ad52a6bfb42631aa7ae2
SHA256 47a1575fe1a93ee05f2324ba53af285e44deaeeecd2a280e21afde1ae6f95689
SHA512 0142814fe9fdecea8861abed1d9484e87d423a5ed3260ba40ba684c3dd3dd5a5e1d6367311b2217727c5a9605f47739affd5ec3b745cb1d1187a2e499c58da64

memory/1724-35-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1724-37-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1724-38-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1724-39-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1724-36-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1724-40-0x00007FFBD3FE0000-0x00007FFBD3FF0000-memory.dmp

memory/1724-41-0x00007FFBD3FE0000-0x00007FFBD3FF0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 0f05eb317ff2848114ffd234ea6f35b2
SHA1 670c228dc90371860f4a312df28cefe161b7e58e
SHA256 2a0949dd75e331fddecb55e28e087e136277619c780066ba81897aa432a38bbb
SHA512 dbe0c6b34735b2ef8671fc50c4993c76010d67448f49fd64f9cf783aa0476eb7245483a352d571b0469afa1f500c43bd96c2368f92ea98f79d5682bacf8c62d6

\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 bef2640e6679e6ba96d82edbc9353f80
SHA1 d2e0a45861769d13830b440a406bc832b6f5cc7f
SHA256 5f2024a3a943feea3e2363675397a5bbc4ded302a0a8a3e194f0b60b19bd375b
SHA512 3725cc2a500c185be88eeebdc66c45e15c34f40bdb8ab0ba24803ba18499bb6e85727601e67325677bf18784e07006960cc828f0df438f22a3423672eef891f8

C:\Users\Admin\Desktop\RegisterSync.doc.exe

MD5 393fd75602385824ebfa928c7c3e16b5
SHA1 f557bbf3fafdabf65b273237961bd35027b4df7e
SHA256 8543d552b5f3731bbcedf9bca74e18d65e4af1a930d1464b53258b7c76dcf75c
SHA512 e028e19e9084d0a7967599cd95aad692ed2a143dbaebe5b7bb43f411d5d267e867fc286408eed355704af818416906e63cbbd49bd928afed8e4647a7f69ef52e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 8d6aadf28ed6936185f8994946418288
SHA1 aece339d8139d10ac1d608889b445f4d2d866b3f
SHA256 99ed9cc098a5b9d13a42ac18916baf3fac268ce9eb66cf277284f1a1d528889d
SHA512 59ac17fb108d4cbd8c74b3caafbef9ce2b3c0698474ddbb06628e946f221920abc1b15ac36e64fc9cebe27eef77657482a45a0cee1b61271ac1ea3f1f9b2e020

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 8036b7fe44c24bd25bc722f330976129
SHA1 0d0cb74aff7283cc34c19cb4844170c462a2d3c2
SHA256 2bfae79b3cf4805d3a2571a9b08310037094bd33770223e4fe4963dd4cca372d
SHA512 668052cece28191b07a684f1109135042dc253c96e4e5890e2f8f9bbcdd9d000939990a0b66dd86a1a1f2868ffbdea8eceb326309b46c7ec4e50e37c90bfd1e8

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 4e84cb061ec08b953e1b485267ce9001
SHA1 0259fa0416bb0dc0d3446b0d9693ecc3b6f1c201
SHA256 ef76ec78fca91a5ae56bc19627b77c3cc9c4f5d4e59724611cbf9b0c22d6a336
SHA512 debf9e9279a4ea75b728f43c037f90ee8684e6b9369e24adf9ad230524804731569342531c7b46b4ec2baab56e778643a90870296810ca40e6ba5955fc1e9716

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 1d1e82b6e97e89ad7db1793eb4902594
SHA1 ec6ac6a4805d23b80714d504d55ee18d15c43576
SHA256 73a3b5f2e3b2af70c460a2c22a58b638652ce7367c727abcb59e7863bbad7abc
SHA512 a368b47883e2e3031a9147f7793a19359584836f0e9d78f5fef2f79ab585762c9bcdd709d42a18b25c85f2f0549b04b640436e74e9ad1d9e664230d30d2b0d54

memory/1724-121-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1724-122-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1724-120-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/1724-123-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp