Malware Analysis Report

2024-11-16 13:21

Sample ID 240613-fw4c5sygnr
Target a3f016a419b50d269cc937717f8510b7_JaffaCakes118
SHA256 771c02a1a3d909341615dbe0226cb5e450b0bf7d66e0949a1ab18d362d59f31f
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

771c02a1a3d909341615dbe0226cb5e450b0bf7d66e0949a1ab18d362d59f31f

Threat Level: Known bad

The file a3f016a419b50d269cc937717f8510b7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Reads user/profile data of web browsers

Windows security modification

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon

Enumerates connected drives

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:14

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:14

Reported

2024-06-13 05:16

Platform

win7-20240611-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eyscekbn = "bhqdumcdcw.exe" C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\txrekvnv = "kzqkffyfrjbkagk.exe" C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dqrcoqbxfdlmp.exe" C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\fwmrczce.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fwmrczce.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fwmrczce.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bhqdumcdcw.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\bhqdumcdcw.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\bhqdumcdcw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\fwmrczce.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fwmrczce.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\fwmrczce.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\fwmrczce.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C0B9D5783206D4276DD70252CDA7DF665DE" C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEF9BEFE17F192830F3B4781EB3997B38D02FE43110332E1CF42E708A1" C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FCF94F5D85129137D65F7D97BCE5E134594367346333D6EB" C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
N/A N/A C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
N/A N/A C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
N/A N/A C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
N/A N/A C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
N/A N/A C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
N/A N/A C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
N/A N/A C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
N/A N/A C:\Windows\SysWOW64\bhqdumcdcw.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\fwmrczce.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\bhqdumcdcw.exe
PID 2860 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\bhqdumcdcw.exe
PID 2860 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\bhqdumcdcw.exe
PID 2860 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\bhqdumcdcw.exe
PID 2860 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe
PID 2860 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe
PID 2860 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe
PID 2860 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe
PID 2860 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\fwmrczce.exe
PID 2860 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\fwmrczce.exe
PID 2860 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\fwmrczce.exe
PID 2860 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\fwmrczce.exe
PID 2860 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe
PID 2860 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe
PID 2860 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe
PID 2860 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe
PID 2628 wrote to memory of 2408 N/A C:\Windows\SysWOW64\bhqdumcdcw.exe C:\Windows\SysWOW64\fwmrczce.exe
PID 2628 wrote to memory of 2408 N/A C:\Windows\SysWOW64\bhqdumcdcw.exe C:\Windows\SysWOW64\fwmrczce.exe
PID 2628 wrote to memory of 2408 N/A C:\Windows\SysWOW64\bhqdumcdcw.exe C:\Windows\SysWOW64\fwmrczce.exe
PID 2628 wrote to memory of 2408 N/A C:\Windows\SysWOW64\bhqdumcdcw.exe C:\Windows\SysWOW64\fwmrczce.exe
PID 2860 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2860 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2860 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2860 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2576 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2576 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2576 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2576 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe"

C:\Windows\SysWOW64\bhqdumcdcw.exe

bhqdumcdcw.exe

C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe

kzqkffyfrjbkagk.exe

C:\Windows\SysWOW64\fwmrczce.exe

fwmrczce.exe

C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe

dqrcoqbxfdlmp.exe

C:\Windows\SysWOW64\fwmrczce.exe

C:\Windows\system32\fwmrczce.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2860-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\kzqkffyfrjbkagk.exe

MD5 98a929796568b0d1c2223fd8753b3ad2
SHA1 ce59048058aa53ceeab8edabc5641d66942875b2
SHA256 98c7d8a20957a77818768f8dda67460f6dcd22971919124b9af96d9ba0a5d151
SHA512 9ba1509a5c8e2a6a568bfb9b421ab955f90d61468bc3e3474ddbd981ce97c07a24f8bcf09aa79816fa5b8d083c8006d03408fc9b94ec9ea0bb8cccf8d8ef7cb0

\Windows\SysWOW64\bhqdumcdcw.exe

MD5 e5f2fd0e317a74dbb54d01f5a79f1c39
SHA1 95bdbeff3da1caf6ab169c17b23f34bd6c737003
SHA256 da7b20a9b9d28aefc9cfd924c23cc1db239a7a22d65ee1f65e045606c0ad9cb8
SHA512 85a4db43062976d72d5c71828d1d87b36b0866aef07e11701227ccd5308950433648ddf03bf62529fecc2f615fcd585fb2cf55311444051c533f9df005cddcbb

\Windows\SysWOW64\fwmrczce.exe

MD5 e4de7d1707c1d22c8547d725166ab486
SHA1 b05c6e6b03bdf5ef60245d89b6ae68bea828c7a7
SHA256 0aaf3c2edf66c58fed298b5d456c81f9f7a3eb00e17bd32a8b80676d6d6e7a1f
SHA512 090c8a128ed5b1f21cf4db894ecfe03b37835a4861df97e72c0d48d6eb95b3d05d56c13846a375d3564856d33945bf05045561696766c16649ba367d558119f5

C:\Windows\SysWOW64\dqrcoqbxfdlmp.exe

MD5 f54c0dccf5fb5f7ad2540a6d9cd30f90
SHA1 71772b21fed18825e140eae6845fd37c6ec9a2b7
SHA256 6830e84983047c1eda9f7b8f5dd14e6289904473a46ad3387c908925d9d2ef57
SHA512 0f28e2fe8e6b9e9403f62a456be85d9be551960b29217485ccc4624e5216c103f359b1100c95f7f3d674f63d5461d025715c582e9cbd61ae64cd84a8a5be7e04

memory/2576-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 806d78777758b14c5ab4b026eb11acb2
SHA1 c41134b9c0bc6bf04786a9c326973409fe76e59b
SHA256 4d40c73696c4e61971b4fe4e9f094a6d3bf252e8290a63bf7ed3b16504f60e77
SHA512 21367cfe9eb2d80585dad565c52040d2eea14ae8bd4868bfa53085319dc97391df5385e4b5aa9279578e44d4bd46adb60d82abce2514400197c344a87d4758e2

memory/2068-79-0x00000000027C0000-0x00000000027D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:14

Reported

2024-06-13 05:16

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzzoqtxn = "ljdymtqhnh.exe" C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qblvlpla = "fkfdnuhrfmzrsgy.exe" C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fphhidvtuduzd.exe" C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\r: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rffuqrub.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ljdymtqhnh.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\rffuqrub.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File created C:\Windows\SysWOW64\ljdymtqhnh.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\rffuqrub.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\fphhidvtuduzd.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\fphhidvtuduzd.exe C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\rffuqrub.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\rffuqrub.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\rffuqrub.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C6081597DBC4B8C87FE4ED9234C8" C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFCFE482885199131D7587E93BC90E637594366426234D790" C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F068C6FF6E21AED108D1D18B0E9164" C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2C0D9C2D82566A3177D477272CD67D8064A8" C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAFABFF96BF1E2837E3A4486EC3E93B08902F94262023BE2CD42E709A3" C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B12C4793389852CFB9D033E9D7C4" C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\ljdymtqhnh.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
N/A N/A C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
N/A N/A C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
N/A N/A C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
N/A N/A C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
N/A N/A C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
N/A N/A C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
N/A N/A C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
N/A N/A C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
N/A N/A C:\Windows\SysWOW64\ljdymtqhnh.exe N/A
N/A N/A C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A
N/A N/A C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A
N/A N/A C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A
N/A N/A C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A
N/A N/A C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A
N/A N/A C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A
N/A N/A C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A
N/A N/A C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\fphhidvtuduzd.exe N/A
N/A N/A C:\Windows\SysWOW64\fphhidvtuduzd.exe N/A
N/A N/A C:\Windows\SysWOW64\fphhidvtuduzd.exe N/A
N/A N/A C:\Windows\SysWOW64\fphhidvtuduzd.exe N/A
N/A N/A C:\Windows\SysWOW64\fphhidvtuduzd.exe N/A
N/A N/A C:\Windows\SysWOW64\fphhidvtuduzd.exe N/A
N/A N/A C:\Windows\SysWOW64\fphhidvtuduzd.exe N/A
N/A N/A C:\Windows\SysWOW64\fphhidvtuduzd.exe N/A
N/A N/A C:\Windows\SysWOW64\fphhidvtuduzd.exe N/A
N/A N/A C:\Windows\SysWOW64\fphhidvtuduzd.exe N/A
N/A N/A C:\Windows\SysWOW64\fphhidvtuduzd.exe N/A
N/A N/A C:\Windows\SysWOW64\fphhidvtuduzd.exe N/A
N/A N/A C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A
N/A N/A C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A
N/A N/A C:\Windows\SysWOW64\rffuqrub.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\ljdymtqhnh.exe
PID 3448 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\ljdymtqhnh.exe
PID 3448 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\ljdymtqhnh.exe
PID 3448 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe
PID 3448 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe
PID 3448 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe
PID 3448 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\rffuqrub.exe
PID 3448 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\rffuqrub.exe
PID 3448 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\rffuqrub.exe
PID 3448 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\fphhidvtuduzd.exe
PID 3448 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\fphhidvtuduzd.exe
PID 3448 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Windows\SysWOW64\fphhidvtuduzd.exe
PID 3448 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3448 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3424 wrote to memory of 1796 N/A C:\Windows\SysWOW64\ljdymtqhnh.exe C:\Windows\SysWOW64\rffuqrub.exe
PID 3424 wrote to memory of 1796 N/A C:\Windows\SysWOW64\ljdymtqhnh.exe C:\Windows\SysWOW64\rffuqrub.exe
PID 3424 wrote to memory of 1796 N/A C:\Windows\SysWOW64\ljdymtqhnh.exe C:\Windows\SysWOW64\rffuqrub.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3f016a419b50d269cc937717f8510b7_JaffaCakes118.exe"

C:\Windows\SysWOW64\ljdymtqhnh.exe

ljdymtqhnh.exe

C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe

fkfdnuhrfmzrsgy.exe

C:\Windows\SysWOW64\rffuqrub.exe

rffuqrub.exe

C:\Windows\SysWOW64\fphhidvtuduzd.exe

fphhidvtuduzd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\rffuqrub.exe

C:\Windows\system32\rffuqrub.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/3448-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\fkfdnuhrfmzrsgy.exe

MD5 fbebd3eb5bbec9cda205884a32103502
SHA1 56ef4747957e013d369aa271a944fcd2523566ee
SHA256 930ea2bc847c9945451705588dbe6ea1f0e5a8149ba941a87ecead1f45233ef8
SHA512 bb79523cefc274317b126a280a2144d1463038902a4bcae8870466f1969c48561e77c53bf07c535e9f6bdbbf3cc546940e529308e6ddb255d51f189f374c601a

C:\Windows\SysWOW64\ljdymtqhnh.exe

MD5 832fc2e4b0404a2d0e953b7c03220182
SHA1 7d67f37d95c5ed7d36beecd0099380041a180259
SHA256 d3d3f2029300103b327f8548ef4868955307640d197bf8d3857fc5ce235d9389
SHA512 3ef46e40392f82d26fc70ced2626e506e79099d5be6d80cab8496f0bde0e62b65cf502eedf5456cecc5d8d3d6ff9985de0db2a3f7fb651c82e1533c91082d3e2

C:\Windows\SysWOW64\rffuqrub.exe

MD5 9415e44943cb85c5a4aefb45a564ed9a
SHA1 8830df1186de7adbab161b7e2d82df81d64a90ae
SHA256 9a675625db9860b311005131feec5dd7e25de24b975bb2e8e8f1657c846b1ff3
SHA512 216d4db0fb4091c42673e836012e07cb0c6ab75167763adb4f598c3d80c73953c442d064d984538ce19fb7075a4209b916c47f5c0a90b9434f0bf7fbae37054c

C:\Windows\SysWOW64\fphhidvtuduzd.exe

MD5 6da66345a34dc2f4252ad69c0886543a
SHA1 c5668332025206be70eff2c9615248efb8222e51
SHA256 fe31c900b62dc2ccbbefb3f038c68c9d011e7583859137b1ac0f96f9bd2c23a5
SHA512 685d30d3129134813ed5684acfc820625ae5ea09aaf3a09c1f92b6ba99ff32713fdb192c7a97834e4355627a333045852f65d151466ecec38cfa12492b2e614f

memory/1992-37-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1992-39-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1992-38-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1992-40-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1992-41-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1992-42-0x00007FFE0C1B0000-0x00007FFE0C1C0000-memory.dmp

memory/1992-43-0x00007FFE0C1B0000-0x00007FFE0C1C0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 f9f280868952d6f5e99492701774eaa3
SHA1 884f4f4746fe0c1a56b7313eb3313f68574fe399
SHA256 a89cf3fc23bb37fa262946ba43e527a353c45719e254e5e292a9b6f73043b3ac
SHA512 e674d1698aafeaf4ed934bd28ba3146c2c5c5965f2211b5c8e39d12b4596e29264f0451c3ab51f09192b2eb3677932fc43cce602b1c712a7fcafc7693d3ac3ad

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 c0efe7d6c7ddf1568cc33cc06dad937c
SHA1 cd58dcbeba68aaecb30a2217aa45a66af4d507eb
SHA256 f419452c6575b919af780063124316000eb66b51826bfe319b20d95778fe8d9e
SHA512 3b629903e9186165c31829d62ccd09eb4a52cbe1d689b4a86f4bfa0a7d08351da772d79e61913b1eee6e26356778f78f7963b901c22ce06fcad1a308b92e582f

C:\Users\Admin\Documents\UnpublishPop.doc.exe

MD5 d69a8469a23f7bf01a041e8924a6ba0b
SHA1 5230d3f699192a6a382dfb1f56cdace81fc9e1fe
SHA256 b1b8b78af1ba607a13d3d923f8fe371a6315200f49f171ee0b1ce668dc1533f9
SHA512 34ebb68c179613da2bf0e9e7dfc12b5705ec6ef38b329814474d67cfef1875d6b03477728abf6ec194dc5da419ee3ee979f24d767be9661990066ed85d9ea98a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 f4d0dacbbaa84f968f97185bd4608cb8
SHA1 20803b2cc564e4179a06dbf76e4179af4d137d71
SHA256 fbc52ce26b843fcfb370869627b7786d8bb6b44d3bbda723ef27d29bce0de47b
SHA512 403037148efffb924c44af938e0e4301d29c1c54bcff4c1a7f5e36f15f9c52bf5c38cdceee59c2688b1e571aa96e25d50366ab6fe294293f1177f812ecb672e3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 eda8fec93804570c36f6555b7e9d7951
SHA1 f174f8ae1e5c824b0e6b0657fad0d5796f322b1d
SHA256 fbca033e4eec67744f5ab30059c7af1416c0ad206ca8ab0951c661985fcac0f7
SHA512 035398262657243649dc57ebbf0e013b7cc2becb4ddce768a2f67b9274da8a4f2647eb184b1083c411eda7f23cfcbfee4810c54f73683a7c999c6d3aa3dfaec5

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 03bf1ceda7e7dc0c37233197c9661bc8
SHA1 d873a129c48faa31c386e302d032f0d6aa768fb5
SHA256 93dc4e77d6d9f3ed921672fc8e90c9e58284dcafb2a9aaeef8a619a38d86d8ab
SHA512 1ab35b81fea5146febe209b4c1008880c4df0ee59ae437065ab98974490aa89f16385cbd14541878fcdabf72fc1281d9b9be26efc9272c779ead7067b96d7650

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 d68af6a6552f7ba7a6b112d0a2976020
SHA1 2584d43ed52fda098057fc78f10b010872ad4b87
SHA256 7e610e1211c404e3ca290fa0f5158e06bb75a8c95249c1103029f865f29d9ca8
SHA512 39a75434987a7fef74572155496812c4732eab2bd4d1165ce3e8f1b21a2f611f029891968deccc21e2b868d513731e8865b4e9a858c4d7acbcdf1488f4c9ad53

memory/1992-117-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1992-118-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1992-116-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1992-119-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp