Malware Analysis Report

2025-03-14 22:36

Sample ID 240406-sdblmadd89
Target e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118
SHA256 c3adf3a04f27b2dab14b14b4849ff6f6562af277b2f2592770717489ab7e806a
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3adf3a04f27b2dab14b14b4849ff6f6562af277b2f2592770717489ab7e806a

Threat Level: Known bad

The file e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 15:00

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 15:00

Reported

2024-04-06 15:02

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\zheddmnpad.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\zheddmnpad.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\numzzpch = "zheddmnpad.exe" C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbszytsq = "ccmphxjnuqxskhb.exe" C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yazcwdejvqjhg.exe" C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zheddmnpad.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zheddmnpad.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\zheddmnpad.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ozvmxwbq.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\yazcwdejvqjhg.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ozvmxwbq.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zheddmnpad.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\yazcwdejvqjhg.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\zheddmnpad.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File created C:\Windows\SysWOW64\zheddmnpad.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\ozvmxwbq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\ozvmxwbq.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFACEF960F29983783A3286EA39E6B38A038A4260023AE1C542E808A8" C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B020449339EF52BDB9D532E8D4BC" C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302C0B9C2C83206A4176DD70512DDE7D8F64DD" C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FFF94F2A85129046D7587D90BDE7E634584667366336D7EA" C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78468B0FE6922A9D17AD1D58A7A9162" C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C60814E1DBB1B9CD7FE0ECE437C8" C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\zheddmnpad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\zheddmnpad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\zheddmnpad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\zheddmnpad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\zheddmnpad.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\zheddmnpad.exe N/A
N/A N/A C:\Windows\SysWOW64\zheddmnpad.exe N/A
N/A N/A C:\Windows\SysWOW64\zheddmnpad.exe N/A
N/A N/A C:\Windows\SysWOW64\zheddmnpad.exe N/A
N/A N/A C:\Windows\SysWOW64\zheddmnpad.exe N/A
N/A N/A C:\Windows\SysWOW64\zheddmnpad.exe N/A
N/A N/A C:\Windows\SysWOW64\zheddmnpad.exe N/A
N/A N/A C:\Windows\SysWOW64\zheddmnpad.exe N/A
N/A N/A C:\Windows\SysWOW64\zheddmnpad.exe N/A
N/A N/A C:\Windows\SysWOW64\zheddmnpad.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A
N/A N/A C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A
N/A N/A C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A
N/A N/A C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A
N/A N/A C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A
N/A N/A C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A
N/A N/A C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A
N/A N/A C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A
N/A N/A C:\Windows\SysWOW64\yazcwdejvqjhg.exe N/A
N/A N/A C:\Windows\SysWOW64\yazcwdejvqjhg.exe N/A
N/A N/A C:\Windows\SysWOW64\yazcwdejvqjhg.exe N/A
N/A N/A C:\Windows\SysWOW64\yazcwdejvqjhg.exe N/A
N/A N/A C:\Windows\SysWOW64\yazcwdejvqjhg.exe N/A
N/A N/A C:\Windows\SysWOW64\yazcwdejvqjhg.exe N/A
N/A N/A C:\Windows\SysWOW64\yazcwdejvqjhg.exe N/A
N/A N/A C:\Windows\SysWOW64\yazcwdejvqjhg.exe N/A
N/A N/A C:\Windows\SysWOW64\yazcwdejvqjhg.exe N/A
N/A N/A C:\Windows\SysWOW64\yazcwdejvqjhg.exe N/A
N/A N/A C:\Windows\SysWOW64\yazcwdejvqjhg.exe N/A
N/A N/A C:\Windows\SysWOW64\yazcwdejvqjhg.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ozvmxwbq.exe N/A
N/A N/A C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A
N/A N/A C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\zheddmnpad.exe
PID 224 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\zheddmnpad.exe
PID 224 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\zheddmnpad.exe
PID 224 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe
PID 224 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe
PID 224 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe
PID 224 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ozvmxwbq.exe
PID 224 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ozvmxwbq.exe
PID 224 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ozvmxwbq.exe
PID 224 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\yazcwdejvqjhg.exe
PID 224 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\yazcwdejvqjhg.exe
PID 224 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\yazcwdejvqjhg.exe
PID 224 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 224 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4556 wrote to memory of 4496 N/A C:\Windows\SysWOW64\zheddmnpad.exe C:\Windows\SysWOW64\ozvmxwbq.exe
PID 4556 wrote to memory of 4496 N/A C:\Windows\SysWOW64\zheddmnpad.exe C:\Windows\SysWOW64\ozvmxwbq.exe
PID 4556 wrote to memory of 4496 N/A C:\Windows\SysWOW64\zheddmnpad.exe C:\Windows\SysWOW64\ozvmxwbq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe"

C:\Windows\SysWOW64\zheddmnpad.exe

zheddmnpad.exe

C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe

ccmphxjnuqxskhb.exe

C:\Windows\SysWOW64\ozvmxwbq.exe

ozvmxwbq.exe

C:\Windows\SysWOW64\yazcwdejvqjhg.exe

yazcwdejvqjhg.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\ozvmxwbq.exe

C:\Windows\system32\ozvmxwbq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/224-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe

MD5 6f0ecef5026e43a63d213d08684bc0dd
SHA1 17bff1fd46450314acfc5e4dd1f4c7e7715933e0
SHA256 dde597fecc2f728857f811dd1eae9026268211f85be088a6d6bdc7b63be12fb5
SHA512 f229c866688172036f6a84adf483f6aa524bfaab7211611ce1aab49fa6eaf010f243b173370244e5975acc5f96aa3698b432bb46347f215ea4985031939f908a

C:\Windows\SysWOW64\zheddmnpad.exe

MD5 fa0278293033bd22b67ce25e6b669023
SHA1 2f81c3b1d1a1da3e11143a3540bd08474f25a649
SHA256 6a03ff8b0e2b2f3f6191c8c03779db94bf8d18a52a0537309447fa1d16c98980
SHA512 27157f91140b9ffb84059685e631269664fe860e928d1b47c12070dddf4919fba8f58f36344063865bc176a5339eed857bfc9f6c3403c4e472700d1aeb934c2a

C:\Windows\SysWOW64\ozvmxwbq.exe

MD5 0db8095f8e91b69ede1be5cabee96437
SHA1 5134370084ce33857973b29122ea85e0be8062c9
SHA256 ecb25ce00b7b530788ae2ff6908fc53c117f6275067fa25dc476391414ef6562
SHA512 8d47976287b5c8fe4ffbf7658843c72d148ae769a3a0bffccf9a6be8e265d9613eb25024d66f0403f13de18b6bb7407caf0d69fcf9734eaceaf2111dfc6ecec2

C:\Windows\SysWOW64\yazcwdejvqjhg.exe

MD5 e741e32217e2015bcf45bf664f24b943
SHA1 9e5ddf1da0c3e7d7bfaadd1475272c5d570a6490
SHA256 cacab44a827090f6f91d9eec7a02d2bbb43bf5be8fce562f54049ad5a4de39fa
SHA512 7d4a7dee4d6afda3baf4a8e652d7ce47953cf05569299bf545bf03a5d78e96be2f9dbcdda9c326430efee9bcdae3e68c737f66eee6c820820fb75f307df8334e

memory/1084-37-0x00007FF7E3290000-0x00007FF7E32A0000-memory.dmp

memory/1084-38-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-39-0x00007FF7E3290000-0x00007FF7E32A0000-memory.dmp

memory/1084-41-0x00007FF7E3290000-0x00007FF7E32A0000-memory.dmp

memory/1084-40-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-42-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-44-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-45-0x00007FF7E3290000-0x00007FF7E32A0000-memory.dmp

memory/1084-43-0x00007FF7E3290000-0x00007FF7E32A0000-memory.dmp

memory/1084-46-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-47-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-48-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-49-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-50-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-52-0x00007FF7E0AD0000-0x00007FF7E0AE0000-memory.dmp

memory/1084-51-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-53-0x00007FF7E0AD0000-0x00007FF7E0AE0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 92b8da49db17d7be0f63e54a455a1391
SHA1 8501f386858bfc9556a528a17921dbe8bb754c6d
SHA256 2c44252e9c241c07a52da4b940dcb3d541fba2e6851907a00a10f9cc2b97b88a
SHA512 572dcce13fcb80365cb528640ef02b84ebe43221ec969874f4b3008a60103d867a6903f3441724b405ec41030799f196dd136a4bbc4ff15c1ebe04a9284093f3

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 a594c70919cdcda61b97fa59d320f767
SHA1 af89006937330e9487cb648f0202d7bf9d102b72
SHA256 3df30aefa0e6cc89b8acb53d2abeed46b20be1a31d4b9897011a377dc3d3b83d
SHA512 b8191372745dfe9ae8f80a59e3821dd6936e01041b2316db8bd035711e1ac9746c6586d362630d6d13582e5c86fd48f8329f987e31e5fa8df58e91fa7a476ffb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 fed9a545e591b9901eefac72cb516652
SHA1 0263c21e5d071c68052b78cc0846a1be958905ee
SHA256 a3c28a6d57a734d2618a827235243b7ac7c365e29dec0cb9d589b397738251b9
SHA512 5fee5b3b65e890513384119786e98289707f2864196f15039207bed86d03f454eb8bf58cb3a8e063cde4410cdb2493dc98dc2b78d2b2a46018ef1fb202cf763f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 fc157baa537015a38b9e29ee3bc770d6
SHA1 e2d35e841b852229ee0d2f006b1cda73b48d8b50
SHA256 51e5fc5824aaba1d8483930cbc7a6bdb7ca628c2fa29c5701281fea21b71e253
SHA512 864c1ebdccb87a3cc697f21b80bbd83a4932fe5f72350d88ca0b2a56f05af1b3511091351cd3205ff41109189854c89e36f322d07f85ae4cf64374be1550e73d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 e4bffcbb3c8d40fe7a1dfe176ed712ed
SHA1 93171aae82cbc83e7aa5310fbf36eb2cb06a92c9
SHA256 b0cdb1fb12445c8df73aeac88749b38271c43080ac6e35edf982e0e7b6cfe978
SHA512 114791810667508fb79d9da649916e85ebdef86470b014618bd9558397b9e9eccb631210ffd8ddb56590c49cf36ae140bf4b565fdd0dc44bb5cc5f101d92181d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 71c8efe3bee2db633e9e9a32009bf1e2
SHA1 d95668e7b13c71e669a5939ac73d034c7695e1d1
SHA256 f1a2a281274a71d125697935362de61d1004853185b9befe8631c6cf9506c194
SHA512 fe7778acd4514ceceaed434d5bad970cdb7163d2bd0ef5df2f511d0fdfcb1cd5aa243100031707a540d0d604a43b2588f5d4d9094dcf539a883d51ee623bb3f1

memory/1084-109-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-110-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-111-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-133-0x00007FF7E3290000-0x00007FF7E32A0000-memory.dmp

memory/1084-134-0x00007FF7E3290000-0x00007FF7E32A0000-memory.dmp

memory/1084-135-0x00007FF7E3290000-0x00007FF7E32A0000-memory.dmp

memory/1084-137-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-138-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-139-0x00007FF823210000-0x00007FF823405000-memory.dmp

memory/1084-136-0x00007FF7E3290000-0x00007FF7E32A0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 15:00

Reported

2024-04-06 15:02

Platform

win7-20240319-en

Max time kernel

151s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ialycbwk = "ldpfbqzbmr.exe" C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ojaqouou = "gpqjcxzqgyxvyzz.exe" C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kyihcaptjsodn.exe" C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\p: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ssnhmibd.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ssnhmibd.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ssnhmibd.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\kyihcaptjsodn.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
File created C:\Windows\SysWOW64\ldpfbqzbmr.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\ldpfbqzbmr.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\kyihcaptjsodn.exe C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ssnhmibd.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ssnhmibd.exe N/A
File created \??\c:\Program Files\DisableStop.doc.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification C:\Program Files\DisableStop.nal C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification \??\c:\Program Files\DisableStop.doc.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification C:\Program Files\DisableStop.doc.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification \??\c:\Program Files\DisableStop.doc.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification C:\Program Files\DisableStop.nal C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A
File opened for modification C:\Program Files\DisableStop.doc.exe C:\Windows\SysWOW64\ssnhmibd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7816BB4FE6822D1D273D0D38B7E9161" C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
N/A N/A C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
N/A N/A C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
N/A N/A C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
N/A N/A C:\Windows\SysWOW64\ldpfbqzbmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\ssnhmibd.exe N/A
N/A N/A C:\Windows\SysWOW64\ssnhmibd.exe N/A
N/A N/A C:\Windows\SysWOW64\ssnhmibd.exe N/A
N/A N/A C:\Windows\SysWOW64\ssnhmibd.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\ssnhmibd.exe N/A
N/A N/A C:\Windows\SysWOW64\ssnhmibd.exe N/A
N/A N/A C:\Windows\SysWOW64\ssnhmibd.exe N/A
N/A N/A C:\Windows\SysWOW64\ssnhmibd.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\kyihcaptjsodn.exe N/A
N/A N/A C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ldpfbqzbmr.exe
PID 3048 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ldpfbqzbmr.exe
PID 3048 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ldpfbqzbmr.exe
PID 3048 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ldpfbqzbmr.exe
PID 3048 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe
PID 3048 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe
PID 3048 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe
PID 3048 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe
PID 3048 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ssnhmibd.exe
PID 3048 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ssnhmibd.exe
PID 3048 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ssnhmibd.exe
PID 3048 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\ssnhmibd.exe
PID 3048 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\kyihcaptjsodn.exe
PID 3048 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\kyihcaptjsodn.exe
PID 3048 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\kyihcaptjsodn.exe
PID 3048 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Windows\SysWOW64\kyihcaptjsodn.exe
PID 1940 wrote to memory of 2572 N/A C:\Windows\SysWOW64\ldpfbqzbmr.exe C:\Windows\SysWOW64\ssnhmibd.exe
PID 1940 wrote to memory of 2572 N/A C:\Windows\SysWOW64\ldpfbqzbmr.exe C:\Windows\SysWOW64\ssnhmibd.exe
PID 1940 wrote to memory of 2572 N/A C:\Windows\SysWOW64\ldpfbqzbmr.exe C:\Windows\SysWOW64\ssnhmibd.exe
PID 1940 wrote to memory of 2572 N/A C:\Windows\SysWOW64\ldpfbqzbmr.exe C:\Windows\SysWOW64\ssnhmibd.exe
PID 3048 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3048 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3048 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3048 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2448 wrote to memory of 2660 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2448 wrote to memory of 2660 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2448 wrote to memory of 2660 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2448 wrote to memory of 2660 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe"

C:\Windows\SysWOW64\ldpfbqzbmr.exe

ldpfbqzbmr.exe

C:\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe

gpqjcxzqgyxvyzz.exe

C:\Windows\SysWOW64\ssnhmibd.exe

ssnhmibd.exe

C:\Windows\SysWOW64\kyihcaptjsodn.exe

kyihcaptjsodn.exe

C:\Windows\SysWOW64\ssnhmibd.exe

C:\Windows\system32\ssnhmibd.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/3048-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\ssnhmibd.exe

MD5 992d1953af176c78f7e0ed6d4ab58684
SHA1 b0bfc5f668086fa00fe71d0b5575af3ebfeec437
SHA256 be856cfe5dac5dd78994eb2375b716300876350c1b1a48942855bd10a91611fc
SHA512 bed8841370b9fc0472945de92d409f9b335d3e5c70d4d5100f90b059cd57f81b9970e73df88545df4c47da2377a24cb0fc9bb9608478df79e56a2a170eb1a8a5

\Windows\SysWOW64\ldpfbqzbmr.exe

MD5 17c7aa3fb804b761d5a152f57f6e9c33
SHA1 11dbd9b1d5603569ae7fbff2fc6649c3fff4261d
SHA256 36ef8a87f26fd1799a16c5bbebadc91355c4523b84909a10bc3926980d8d9476
SHA512 3e944a2f614f42e30c60818a72600e378df3a79b2c6176f8312ecc8e7bdb4c0c2758ec628e5ff67a8a7217404436564b9ad5db843f89b2168a66460b9bc4a8f8

\Windows\SysWOW64\gpqjcxzqgyxvyzz.exe

MD5 a26a121fe7234efa5d8ab0127732013a
SHA1 ba6bd159f879e666f35aaae316096b98a7ef30a5
SHA256 979248f77e181cbc9fbf68957e1d12152f35695e0b87cd43a0d8cc144f963108
SHA512 3ab2d2d98db6019e8ea68a60b3d0a48a1470b17120de88a7344427f9161be03f694b1f6af85879254d7aad38c2fcf23fcc18caec2a4415ce9fb61b83e19e8c00

\Windows\SysWOW64\kyihcaptjsodn.exe

MD5 ad61b4bcb302261687c556a48cfd2027
SHA1 91a6ce758e1084e6a6ced67f888eb1f68f841626
SHA256 ece2a3a240729602789df1f2ffd55cfac7be2bb7e75e823723f211312aa59b5d
SHA512 a203fb15fbafcd20d63fda69b0077d91cdb417ee623a2db59a6450ae9991426bcbecdf4f2363e046acfc61b155d976bcba48763ed53c36695622ac81afec2048

\??\c:\Program Files\DisableStop.doc.exe

MD5 5685a90aceeb61cc5d8dc3bdb523d9c0
SHA1 f55b4e8cba7fcc3a7f16cbf5c2292ef84cf7f0ae
SHA256 a17221afed61569cde271375b7c7f2ef01e4cea72a162d6debdcd60546b3665c
SHA512 6a6615e47494351e5849116804d1e523bc27f0ddb0fafe44764c6d2a0a9abcca44b000fdd25b629f2d07d3604409514ff4f5057de694bf0bfe5bdf0d377a4a99

memory/2448-51-0x000000002FBD1000-0x000000002FBD2000-memory.dmp

memory/2448-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2448-53-0x000000007163D000-0x0000000071648000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

memory/2448-80-0x000000007163D000-0x0000000071648000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 a03814a7c99a156dbb17cca43d8a10af
SHA1 b9fc4cf26e9a9b79cf124780b60cf159bef3b6da
SHA256 dac73dc64e7c9a217f9192480b0b5c08751a69a9c6198a6e5fe7db3969a40a2a
SHA512 f37142482937646f17e4def6d27c9d9d832e05ba70dfa36397c774bc7b167a235d40a01591d5cdd028cb362dde5103af28a515d310cfde8be031d03cb16e27e3

memory/2448-101-0x000000005FFF0000-0x0000000060000000-memory.dmp