Malware Analysis Report

2024-11-30 04:15

Sample ID 240613-ah45mazfrr
Target a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118
SHA256 b07a2af3717c3e3f1b48ccd756fb359f0be8d87b442fe8fb959fb3a7c8b0eafb
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b07a2af3717c3e3f1b48ccd756fb359f0be8d87b442fe8fb959fb3a7c8b0eafb

Threat Level: Known bad

The file a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies Installed Components in the registry

Disables RegEdit via registry modification

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies registry class

Checks processor information in registry

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:13

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:13

Reported

2024-06-13 00:16

Platform

win7-20240221-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zjefugix = "ydqxklwjwy.exe" C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wlfjmhig = "pdregeegfpikagv.exe" C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "plkjqltnwzece.exe" C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\idnbcmuh.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\pdregeegfpikagv.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\idnbcmuh.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\idnbcmuh.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\plkjqltnwzece.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\plkjqltnwzece.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
File created C:\Windows\SysWOW64\ydqxklwjwy.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ydqxklwjwy.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pdregeegfpikagv.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\idnbcmuh.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\idnbcmuh.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\idnbcmuh.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\idnbcmuh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF8B482B851B9040D72B7E91BDE3E635583667426346D791" C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B12E47E0399953CDBAA633E9D7CE" C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C7C9D5782576A3776DC77212CAD7CF265AB" C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
N/A N/A C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
N/A N/A C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
N/A N/A C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
N/A N/A C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
N/A N/A C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
N/A N/A C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
N/A N/A C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
N/A N/A C:\Windows\SysWOW64\ydqxklwjwy.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\pdregeegfpikagv.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\plkjqltnwzece.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\SysWOW64\idnbcmuh.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\ydqxklwjwy.exe
PID 2320 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\ydqxklwjwy.exe
PID 2320 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\ydqxklwjwy.exe
PID 2320 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\ydqxklwjwy.exe
PID 2320 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\pdregeegfpikagv.exe
PID 2320 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\pdregeegfpikagv.exe
PID 2320 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\pdregeegfpikagv.exe
PID 2320 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\pdregeegfpikagv.exe
PID 2320 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\idnbcmuh.exe
PID 2320 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\idnbcmuh.exe
PID 2320 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\idnbcmuh.exe
PID 2320 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\idnbcmuh.exe
PID 2320 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\plkjqltnwzece.exe
PID 2320 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\plkjqltnwzece.exe
PID 2320 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\plkjqltnwzece.exe
PID 2320 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\plkjqltnwzece.exe
PID 3064 wrote to memory of 3036 N/A C:\Windows\SysWOW64\ydqxklwjwy.exe C:\Windows\SysWOW64\idnbcmuh.exe
PID 3064 wrote to memory of 3036 N/A C:\Windows\SysWOW64\ydqxklwjwy.exe C:\Windows\SysWOW64\idnbcmuh.exe
PID 3064 wrote to memory of 3036 N/A C:\Windows\SysWOW64\ydqxklwjwy.exe C:\Windows\SysWOW64\idnbcmuh.exe
PID 3064 wrote to memory of 3036 N/A C:\Windows\SysWOW64\ydqxklwjwy.exe C:\Windows\SysWOW64\idnbcmuh.exe
PID 2320 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2320 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2320 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2320 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe"

C:\Windows\SysWOW64\ydqxklwjwy.exe

ydqxklwjwy.exe

C:\Windows\SysWOW64\pdregeegfpikagv.exe

pdregeegfpikagv.exe

C:\Windows\SysWOW64\idnbcmuh.exe

idnbcmuh.exe

C:\Windows\SysWOW64\plkjqltnwzece.exe

plkjqltnwzece.exe

C:\Windows\SysWOW64\idnbcmuh.exe

C:\Windows\system32\idnbcmuh.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

Network

N/A

Files

memory/2320-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\pdregeegfpikagv.exe

MD5 abcc5b3e655491975a6de9cbd1a57e01
SHA1 2e6c50d6e1e6263eb8fee31acfc98bf6ff769115
SHA256 7387851f1a29e5cd62b9cd14c6d1483a7cd869f5a26fc1f46c1897249c90f550
SHA512 2d14f7f60026a58b33000dd678511dc203847a9e44715b5fc7f64a3e138b474db6a48fb0d91945d635328ba08e601523ebda97e9ce51bf3c0916a31c63caba31

\Windows\SysWOW64\ydqxklwjwy.exe

MD5 cb229e0231fbb9cdda8986095dd148bb
SHA1 8020d47861f7ed3534ca236c043b26ba4a07ef24
SHA256 2b361acfdf320f9a36b2aa3eb7a1477373f884459db8211a7c8989cf0504f560
SHA512 749ab1ddce4e46dc1c6c63fe9e50bf39512a1212596edff41122022d48648601fd599a0ce438bad2fc6e50aa4eddd7865ebbf4d7f99301ca8fc4845413a685ef

\Windows\SysWOW64\idnbcmuh.exe

MD5 6e77dfe81bc39f39cc604d1802658a1a
SHA1 3f9d942cbd277b2052cdb6e3ec023796796a12d6
SHA256 40582a98fbcb286fffbf96af4b6b1b3f3de74fa8d46a1cad23ed6b6730790b6d
SHA512 ba7b6ded4ea055ca08faf7a3058c1d0d125191b3988a9014eba98e02f060d9c61467f0842f52a56a355c8fc7f34393ae475f32448c0634228760746b1da2ba14

\Windows\SysWOW64\plkjqltnwzece.exe

MD5 cc7ea3316c1e0e76d82a3c1606ff4dba
SHA1 ccee5cd01535ad5a57f14fdb2869905a012ee523
SHA256 72a7b422ca5b635d81eb1011b74a3f338725d4fc7656c1027626c6fa025e95c2
SHA512 9d7e3a3f14566a60dd918d27131c0eee34fda4a3e132dccdbccbc86dbb80180613a8c99066d037f5fd5ce18ac4cd4206f756ed555ac267564d930ba7f1edd84b

memory/2464-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 c714fc43ddfe6d2ce84573ae16807683
SHA1 2f8ab8fbe128e4bb128967a37256b50e04552abd
SHA256 e4cf1000fac249d6f94542dc7313db50a13891056f96dc6b79c71d181d561889
SHA512 f64ca5b8f77eb7be1f260bf9b16d17235d3d72924dbaa38f33494bc06c74496c593c8576f8dce4f5e65a1913a559ccb2e709d6dae7c52080af5fdabaa93133f0

C:\Users\Admin\Desktop\CompressConvertFrom.doc.exe

MD5 edf989594ba221d05eb401b7c21087e4
SHA1 b3bf47f4b5df5526313be4a9cd3a9da142eb4a5f
SHA256 ef5ab621e3637f8e9bc890335aec5175950f9b7b3d430e2abf0431659da1dcfb
SHA512 6509bdab52f156a19c2b98e83b1c0dd4ad7d6e555afeff338a9a94c5322b650ad23dad3a72ffe02f628b078604056a5021c667c873729efba7971b355c1ba942

memory/2000-81-0x0000000003CF0000-0x0000000003D00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:13

Reported

2024-06-13 00:16

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uvfeszbt = "dqhgqrtigt.exe" C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\clhrqelk = "mscypqqcbfudgjr.exe" C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jxhjjeukpluuk.exe" C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\x: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ttgjiqtx.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification C:\Windows\SysWOW64\dqhgqrtigt.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mscypqqcbfudgjr.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mscypqqcbfudgjr.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
File created C:\Windows\SysWOW64\dqhgqrtigt.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ttgjiqtx.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ttgjiqtx.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\jxhjjeukpluuk.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\jxhjjeukpluuk.exe C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ttgjiqtx.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472D799C2183586D4677D277222CD77DF265DD" C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC67D1593DBC0B9BC7CE1ED9234BB" C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFC8F4828851B9132D75B7E90BDE6E632594B66426244D79F" C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F468B3FE1D21DDD173D1A48A7B9011" C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8F9CEF911F29084093A40819A3992B08D028B4214033DE1C942EA09A8" C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B02E479039E853BEB9D333EAD4CE" C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
N/A N/A C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
N/A N/A C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
N/A N/A C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
N/A N/A C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
N/A N/A C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
N/A N/A C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
N/A N/A C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
N/A N/A C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
N/A N/A C:\Windows\SysWOW64\dqhgqrtigt.exe N/A
N/A N/A C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A
N/A N/A C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A
N/A N/A C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A
N/A N/A C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A
N/A N/A C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A
N/A N/A C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A
N/A N/A C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A
N/A N/A C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A
N/A N/A C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A
N/A N/A C:\Windows\SysWOW64\mscypqqcbfudgjr.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhjjeukpluuk.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhjjeukpluuk.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhjjeukpluuk.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhjjeukpluuk.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhjjeukpluuk.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhjjeukpluuk.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhjjeukpluuk.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhjjeukpluuk.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhjjeukpluuk.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhjjeukpluuk.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhjjeukpluuk.exe N/A
N/A N/A C:\Windows\SysWOW64\jxhjjeukpluuk.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A
N/A N/A C:\Windows\SysWOW64\ttgjiqtx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3404 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\dqhgqrtigt.exe
PID 3404 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\dqhgqrtigt.exe
PID 3404 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\dqhgqrtigt.exe
PID 3404 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\mscypqqcbfudgjr.exe
PID 3404 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\mscypqqcbfudgjr.exe
PID 3404 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\mscypqqcbfudgjr.exe
PID 3404 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\ttgjiqtx.exe
PID 3404 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\ttgjiqtx.exe
PID 3404 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\ttgjiqtx.exe
PID 3404 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\jxhjjeukpluuk.exe
PID 3404 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\jxhjjeukpluuk.exe
PID 3404 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Windows\SysWOW64\jxhjjeukpluuk.exe
PID 3404 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3404 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 916 wrote to memory of 3724 N/A C:\Windows\SysWOW64\dqhgqrtigt.exe C:\Windows\SysWOW64\ttgjiqtx.exe
PID 916 wrote to memory of 3724 N/A C:\Windows\SysWOW64\dqhgqrtigt.exe C:\Windows\SysWOW64\ttgjiqtx.exe
PID 916 wrote to memory of 3724 N/A C:\Windows\SysWOW64\dqhgqrtigt.exe C:\Windows\SysWOW64\ttgjiqtx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a316ee6c5b7ee445db9eebf286dcce12_JaffaCakes118.exe"

C:\Windows\SysWOW64\dqhgqrtigt.exe

dqhgqrtigt.exe

C:\Windows\SysWOW64\mscypqqcbfudgjr.exe

mscypqqcbfudgjr.exe

C:\Windows\SysWOW64\ttgjiqtx.exe

ttgjiqtx.exe

C:\Windows\SysWOW64\jxhjjeukpluuk.exe

jxhjjeukpluuk.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\ttgjiqtx.exe

C:\Windows\system32\ttgjiqtx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/3404-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\mscypqqcbfudgjr.exe

MD5 4f6980ac02bb1f381806cd34ef9b84d9
SHA1 82e76a120c8ebc6aa55a55b4c87928f03a5bd15c
SHA256 f17eacd133187c42a806a7c8d8e430d8dec7082fb041de2dc2a5969cc5e3b67d
SHA512 73512ff691d39c3cf82b340e6c09285ccc4f2dcde791cfe478c1bb3cd0abc48bcdd3e1342969faa8f643cd7b06df0b1f939fb8246b0a612fef17e5b5c29cfa5e

C:\Windows\SysWOW64\dqhgqrtigt.exe

MD5 fae5dcfb5ffbfa3e0273a2fe77b1d974
SHA1 8426c0e63913c1bdd02601bd204836b7d15803cc
SHA256 76471766d8e8d06e2875dc8701a9871031ebba2c8ece68c4cafd0881fc4fdc9d
SHA512 bea32f5cdbe8cd4ec12b12d4377dcd0e9041bc077b61062f209b6276563915bd52549a085fb02d1b00217001cafb41d824bee0236e60e4b0221cb47f03592132

C:\Windows\SysWOW64\ttgjiqtx.exe

MD5 57642a5b6a10c51d3ed0635813397cb7
SHA1 c9fd2fc3657f2df1282b9b248fd883b462d1c49f
SHA256 712b15ba88b7205546b38adce3b1f8fc9e30a23ea97a55f26126b2fd57fb2c0e
SHA512 36b8b3ef4bbe623e5ee543835713001935514edd1a9a5318a30f86090e9245252f3ce366f8658a1416232503b479b8623bbdb484faca6d5f15f954ced794b0f1

C:\Windows\SysWOW64\jxhjjeukpluuk.exe

MD5 7f965c1858ceb428b6b3eb411801f930
SHA1 ce5246889f49592d4e68e15f21ae70ad1559ea9b
SHA256 73f575014a2bc595b25677e72a907730d062cedb542f666c1ca70fc75c60025a
SHA512 b8a555cfd38f29c53430810909170b8b76297c765ec1c02dd687942a329b0f1095639801663033649765b0b2211b8a15f58de7550a038e139af03e24d2ac4ab4

memory/1076-35-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

memory/1076-37-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

memory/1076-36-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

memory/1076-38-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

memory/1076-39-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

memory/1076-40-0x00007FFF587D0000-0x00007FFF587E0000-memory.dmp

memory/1076-43-0x00007FFF587D0000-0x00007FFF587E0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 a014406ba60abf244008388890b82b14
SHA1 ffcd3c4dd1e48309d7442b89a9e031061e23d4e0
SHA256 bfa7835153419df2d4b9a352b06321402919dea7607bd1ac6e9f08d9afce85af
SHA512 86075ce55d861e33fa365db436ea6383ae34ef73ce86bb046e87ae95af7ef16c9b9bd467c5761cdfeab108f6a85c4fa07ea88844369c2057ea47eecea5b36d49

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 cfd6e8bd36033b1981aae1ba3908d980
SHA1 b50b1b272bbd367deae5a6c81ee9d04e1fc0e0c0
SHA256 88d7b29398d48e256df6ac99f5977e170c699347e662e564f9b8deb897051273
SHA512 e5b8129e2c85cdab4bee9588f1912d63d6bdc870950d4aa383638deafe6000565a3566d51b4589de902cdcb7407770689956b89fb7d3c8a44cc2ff61df122302

C:\Users\Admin\Documents\PushSend.doc.exe

MD5 ad9195ff9a1abace0c1397999840e27f
SHA1 f7547af19c7e890aab66231c90ab6ee6bf9dcce4
SHA256 ac2e2a3fa12bdaacfbbdba4aacef990d316a42f00f699a67c785245d2ae7735a
SHA512 a3e2d6f7ecdb11a12e9ebb0db5d426f1320cd703b980b32a78ba288d20d5b04b6cf6b76674cfbbd897874ef76eacddae6371f3a5dfcdbab36e28a77d4467cc11

C:\Users\Admin\Downloads\ExitUnblock.doc.exe

MD5 67c99bc2a50b4d3a0f675f5cf6079e3e
SHA1 62ba0290a919e944dceb84572af9996794664b1c
SHA256 23e8e6809a68cbaf7e6552ac0ffd332d258d0d790afe7b5605d4ec9ae21c0025
SHA512 338b146728ecf8e410715561588d159da8ea5723bacdeb634244de86b3ff219b3b3e1a510cba62e0687441bb1e9acb726f4093ecc3f3078281372db99deabe1b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 07b5bbb35fc9a59f4010ddcd22d62b25
SHA1 1e6731b9fd5b658c76a0965fac36cbbc3d7fea6e
SHA256 eb78c53a400cebf2a25575cad31553aa120cb615fe5b149ec6858128693fc2ff
SHA512 b1c28209bcfaec2e9e300138e286cde1fa38410cf96647129c01ac963004f9121ba0d3667e640f27056cc7253b1e04c937f7c9b6cfa9707341cbe10578db03d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 a8bcc0c2262122625ac519ff7794d757
SHA1 d73a69a517afb47b184c8477de84c18f03a05943
SHA256 b66bc44f8a6ef0ec0e5185a0025253e26e8429e9d3aab8c4353e7afac2a7193f
SHA512 f7340c3550ed903c269461aec06508ab41f1c599c54af8216500847be9d4dd2f953afea7da93e210a572c74d5aa6e92a402bc21e1189953bafdca80ff2186f65

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 b460fb95f89d072e6204d148a3bfafbf
SHA1 0281611dab2bd6a8178a94c899fa1270797c4ddd
SHA256 a41b8755056e9f72a6b88670789fdf16caefdfbd0736a38f8c8ad4c31472d1ac
SHA512 bb80b7cc783a21ce91ff1920e7c4960fb8853bf52c154a58bf6ef2b330af1f290198fe61a5d1b2ae64c4fc91b1252999c23096f39c3afe6c51cefb809b58fc87

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 d0237edd592ddfa472a474ab30ea9a79
SHA1 6493e2411c338f0a3f2733028a270a33b8e94bdf
SHA256 cf6d8b9e3c2754635dcfb18bce0d1acce699d7284ea2cb7af90e059cfc959322
SHA512 8e0783b43d9476aa6f80babf751bc0c509c8d26cc13d179b9d4414a330447c60e5c2fa604a10dd32bf927bf09fe47090bb7f9ee354fdd8bf85ca5dee6f3987a2

memory/1076-121-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

memory/1076-122-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

memory/1076-120-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

memory/1076-123-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp